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(54) Recording/reproducing apparatus, data moving method, and data deletion method 



(57) A recording/reproducing apparatus (5000) in- 
cludes: a first storage section (5001) for storing data 
structure information which includes encrypted data; a 
special information holding section (5002) for holding 
special information associated with the data structure 
information; and a controller (5003) for controlling the 
first storage section and the special information holding 
section. The data structure information is associated 
with the special information such that the special infor- 
mation is updated in response to an update of the data 



structure information, or such that the data structure in- 
formation is updated in response to an update of the 
special information. The controller controls movement 
of the encrypted data from the first storage section to a 
second storage section (5004), and the controller up- 
dates the special information such that a mismatch oc- 
curs between the special information obtained before 
the movement of the encrypted data and the special in- 
formation obtained after the movement of the encrypted 
data. 
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Description 

BACKGROUND OF THE INVENTION 

1 . FIELD OF THE INVENTION: 5 

[0001] The present invention relates to a recording/ 
reproducing apparatus in which illegal copying and ille- 
gal use of copy-generation managed data is prevented. 
Further, the present invention also relates to a method 10 
for moving data and a method for deleting data in which 
illegal copying and illegal use of copy-generation man- 
aged data is prevented. 

2. DESCRIPTION OF THE RELATED ART: 15 

[0002] In recent years, various digital recording/repro- 
ducing apparatuses have been developed and market- 
ed. Among these digital recording/reproducing appara- 
tuses, data can be copied without deteriorating the im- 20 
age quality and sound quality of the data. Thus, a digi- 
talized, copyrighted production can be copied into a 
widespread, large capacity recording medium, such as 
a D-VCR, DVD-RAM, etc., with high image- and sound- 
qualities. By copying a production in such a way, illegally 25 
copied products called "bootlegs" can be made. The il- 
legally copied products can be readily distributed among 
the general public anonymously, and accordingly, the 
copyright of the production is violated. It is therefore nec- 
essary to prevent such illegally copied products in order 30 
to protect copyrights. 

[0003] A known technique for preventing production 
of such an illegally copiedproduct is described in Japa- 
nese Laid-Open Publication No. 2001-16542. Accord- 
ing to this technique, a predetermined ID bit for prevent- 35 
ing illegal copying (a prohibition code of the CGMS 
(copy generation management system) standard) is su- 
perposed on an analog signal obtained by converting a 
digital signal recorded on an original recording medium. 
With such a superposed ID bit, illegal copying is pre- 40 
vented. 

[0004] However, even if the above technique de- 
scribed in Japanese Laid-Open Publication No. 
2001-16542 is employed, when data is transferred be- 
tween apparatuses , a fraudulent party can steal the data 45 
from a data transfer path between the apparatuses so 
as to make an illegally copied product. 
[0005] A known technique for invalidating illegally 
copied data is described in Japanese Laid-Open Publi- 
cation No. 11-39895. In this technique, digital data in- so 
eludes: an encrypted main part of the data; encrypted 
copy management information for managing permis- 
sion/prohibition of copy for the main part of the data; and 
key information for decrypting the encrypted main part 
of the data. When the copy management information in- 55 
dicates that copying of the main part of the data is pro- 
hibited, decryption of the illegally copied, encrypted data 
is disabled by updating the key information. 
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[0006] However, even if the above technique de- 
scribed in Japanese Laid-Open Publication No. 
1 1 -39895 is employed, since the encrypted main part of 
the data and the key information used for decrypting the 
encrypted main part of the data are included in the same 
digital data, a fraudulent party can copy (harbor) the dig- 
ital data in an external recording device or the like in a 
byte-by-byte manner before the key information is up- 
dated, so as to decrypt the illegally copied, encrypted 
main part of the data. 

[0007] Furthermore, recently, movement of data 
which is stored in a large capacity recording device, 
such as a hard disc, to a highly-reliable medium, such 
as an optical disc for making a backup copy has been 
demanded. 

[0008] In general, data distributed by digital broad- 
casting is protected from being stored, but there is some 
data that can be stored for the sake of user's conven- 
ience only for a predetermined time period. There is a 
demand to surely delete such data such that a fraudu- 
lent party cannot illegally copy the data. 

Figure 1 shows a structure of a conventional video 
recording/reproducing apparatus 910. The video 
recording/reproducing apparatus 910 includes: a 
data input section 900; an encryption section 901 ; 
a temporary storage section 902; a data output sec- 
tion 903; a decryption section 904; a central 
processing unit (CPU) 905; an input/output section 
906; a fixed storage device 907; a read/write sec- 
tion 908; and an information recording medium 909. 
The CPU 905 controls the data input section 900; 
the encryption section 901; the temporary storage 
section 902; the data output section 903; the de- 
cryption section 904; the input/output section 906; 
and the read/write section 908. 

The data input section 900 converts externally- 
input analog image data into digitally compressed 
image data. If copy generation management infor- 
mation attached to the compressed image data, 
which is input to the encryption section 901 : is free- 
content information indicating that the compressed 
data is a free content, the encryption section 901 
does not perform an encryption process. If the copy 
generation management information indicates that 
production of a child copy (first generation copy) is 
permitted, the encryption section 901 changes the 
copy generation management information into copy 
prohibition information, and the compressed image 
data is encrypted and stored in the temporary stor- 
age section 902. The temporary storage section 
902 is a high speed memory, such as an SDRAM 
or the like. Since the above described sections work 
based on different data transfer rates, the tempo- 
rary storage section 902 is used as buffer means 
for buffering the transfer rate difference among the 
sections. The decryption section 904 decrypts en- 
crypted data and outputs the decrypted data to the 
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data output section 903. The data output section 
903 converts the decrypted, digitally compressed 
image data into analog image data, and outputs the 
analog image data to an external apparatus. The 
input/output section 906 is a communication control 
means, such as IDE, SCSI, or the like, which con- 
trols data transfer to/from the fixed storage device 
907. such as a hard disc. The read/write section 908 
writes data in and/or reads data from the portable 
information recording medium 909, such as a 
DVD-RAM or the like. 

Next, a data recording operation of the video 
recording/reproducing apparatus 910 is described. 

The data input section 900 externally receives 
analog image data, such as a broadcast wave, and 
digitally compresses the analog image data based 
on MPEG. The compressed image data is trans- 
ferred to the encryption section 901 . If the copy gen- 
eration management information attached to the 
compressed image data is the copy prohibition in- 
formation, the encryption section 901 is controlled 
by the C PL) 905 so as to stop a recording operation. 
If the copy generation management information is 
information which permits making a first generation 
copy, the encryption section 901 changes the copy 
generation management information into copy pro- 
hibition information, and encrypts the compressed 
image data using a title key Dh which includes in- 
formation inherent to the fixed storage device 907. 
The encrypted data is transferred to the temporary 
storage section 902. If copy generation manage- 
ment information is free-content information, the 
encryption section 901 does not perform an encryp- 
tion process and transfers the compressed image 
data as it is to the temporary storage section 902. 
The data stored in the temporary storage section 
902 is then transferred to, and stored as a file in, 
the fixed storage device 907 through the input/out- 
put section 906. In this way, recording of the image 
data is performed. 

Figure 2 shows the structure of the fixed storage 
device 907. The fixed storage device 907 has data 
structure information including: a management re- 
gion 1111 for storing management information, 
such as an address and data size of stored data; 
and an object region 1112 for storing the data and 
the title key Dh used for encrypting the data. The 
management information is updated every time da- 
ta comes to the object region and is stored therein. 

[0009] Next, a data reproduction operation of the vid- 
eo recording/reproducing apparatus 910 is described. 
[0010] The CPU 905 reads management information 
from the management region 1111 of the fixed storage 
device 907 through the input/output section 906. The in- 
put/output section 906 searches for a position of data to 
be reproduced based on the read information (address) 



and reads the data from the position in the object region 
1112 into the temporary storage section 902. The CPU 
905 transfers the data stored in the temporary storage 
section 902 to the decryption section 904. The decryp- 

5 tion section 904 decrypts the data using the title key Dh . 
The decrypted data is transferred to the data output sec- 
tion 903. The data output section 903 converts the de- 
crypted, compressed image data into analog image da- 
ta, which is output to an external apparatus, such as a 

10 TV monitor orthe like. In this way, reproduction of image 
data is performed. 

Figure 3 illustrates a procedure for moving data in 
the video recording/reproducing apparatus 910 
15 from the fixed storage device 907 to the information 
recording medium 909. Herein, the data is a pro- 
gram, for example. 

Figure 4 shows the inside states of the fixed storage 
20 device 907 and the information recording medium 

909 during a data movement operation. For the 
sake of simplicity, among the components of the vid- 
eo recording/reproducing apparatus 910 shown in 
Figure 1 , only the fixed storage device 907 and the 
25 information recording medium 909 are shown in 

Figure 4. With reference to Figures 3 and 4 in con- 
junction with Figure 1 , a procedure for moving an 
encrypted program from the fixed storage device 
907 to the information recordingmedium.909 is de- 
30 scribed in steps 11 00 to 11 05 below. Movement of 
data (program P1) from the fixed storage device 
907 to the information recording medium 909 be- 
gins at State (I). 

35 Step 1100: 

[001 1 ] Based on management information A stored in 
the management region 1111, the program P1 and the 
title key Dh used for encrypting the program P1 are read 
40 from the object region 1112 to the temporary storage 
section 902. 

Step 1101: 

45 [0012] The program P1 is moved to the decryption 
section 904 and decrypted using the title key Dh. 

Step 1102: 

50 [0013] The decrypted prog ram P1 is transferred to the 
encryption section 901. In the encryption section 901, 
the decrypted program P1 is encrypted again using a 
title key Dd which includes information inherent to the 
information recording medium 909, and transferred to 

55 the temporary storage section 902. 
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Step 1103: 

[001 4] The re-encrypted program P1 in the temporary 
storage section 902 is written in the information record- 
ing medium 909 by the read/write section 908. 

Step 1104: 

[0015] Steps 1100 to 1103 are repeated until all the 
data included in the program P1 to be moved is. moved 
to the information recording medium 909. 

Step 1105: 

[001 6] All the data of the program P1 has been moved 
to the information recording medium 909 (at this time, 
the fixed storage device 907 and the information record- 
ing medium 909 are in State (II)), the program P1 which 
has been moved to the information recording medium 

909 are deleted from the object region 1112, and the 
management information A stored in the management 
region 1111 is updated to management information A'. 
At this time, the fixed storage device 907 and the infor- 
mation recording medium 909 are in State (lll) : which 
means that movement of the programs has been com- 
pleted. 

[0017] Data recorded in the video recording/repro- 
ducing apparatus 910 shown in Figure 1 is data from 
which production of only a first generation copy (child 
copy) is permitted. Thus, copying of such data into the 
information recording medium 909, such as an optical 
disc, is not permitted, and accordingly, the fixed storage 
device 907 and the information recording medium 909 
never simultaneously store the same data. 
[0018] However, in the above structure, a plurality of 
illegal copies can be produced by connecting another 
fixed storage device 911, such as a personal computer 
having a hard disk, to the video recording/reproducing 
apparatus 910 shown in Figure 1 , and harboring the da- 
ta in the fixed storage device 911. 
[0019] Now, assume that the video recording/repro- 
ducing apparatus 910 moves data P1 from the fixed 
storage device 907 to the information recording medium 
909. At State (i) of Figure 4, data structure information 
stored in the fixed storage device 907 is harbored into 
the personal computer 911 in a byte-by-byte manner. 
Then, when the video recording/reproducing apparatus 

910 is at State (III), the data harbored into the personal 
computer 911 (data structure information at State (I)) is 
returned to the fixed storage device 907, so that the 
management region 1111 and the object region 1112 
are changed from the post-movement/deletion state, i. 
e., State (III), to the pre-movement state, i.e., State (I). 
As a result, the video recording/reproducing apparatus 
910= results in a state where an illegal copy can be 
made, i.e., State (IV). In this state, the fixed storage de- 
vice 907 and the information recording medium 909 si- 
multaneously store the same data (for example, the pro- 



gram P1). By performing the above processing, a plu- 
rality of illegal copies can be readily produced. On the 
other hand, the video recording/reproducing apparatus 
910 itself determines that the data movement operation 

5 has been successfully achieved because the moved da- 
ta was once deleted from the fixed storage device 907 
of the video recording/reproducing apparatus 910. 
[0020] Although music data of about three minutes in 
length can be quickly moved in a moment, the video re- 

10 cording/reproducing apparatus 910 cannot complete 
movement of large video data, such as a piece of movie, 
in a moment. Thus, when the operation of the video re- 
cording/reproducing apparatus 910 is interrupted by, for 
example, turning off the power supply at any timing dur- 

*s ing data movement (for example, between State (II) and 
State (III) in Figure 4), the video recording/reproducing 
apparatus 910 cannot delete the data from the fixed 
storage device 907. As a result, the data movement op- 
eration is interrupted when the video recording/repro- 

20 ducing apparatus 910 is at State (II), so that the fixed 
storage device 907 and the information recording medi- 
um 909 simultaneously store the same data (for exam- 
ple, the program P1 ). By performing the above process- 
ing, a plurality of illegal copies can be readily produced. 

25 

SUMMARY OF THE INVENTION 

[0021] According to one aspect of the present inven- 
tion, a recording/reproducing apparatus includes: a first 

30 storage section for storing data structure information 
which includes encrypted data; a special information 
holding section for holding special information associat- 
ed with the data structure information; and a controller 
for controlling the first storage section and the special 

35 information holding section, wherein the data structure 
information and the special information are associated 
with each other such that the special information is up- 
dated in response to an update of the data structure in- 
formation, or such that the data structure information is 

^o updated in response to an update of the special infor- 
mation , the controller controls movement of the encrypt- 
ed data from the first storage section to a second stor- 
age section, and the controller updates the special in- 
formation held in the special information holding section 

4 $ such that a mismatch occurs between the special infor- 
mation obtained before the movement of the encrypted 
data from the first storage section to the second storage 
section and the special information obtained after the 
movement of the encrypted data from the first storage 

50 section to the second storage section. 

[0022] In one embodiment of the present invention, 
the second storage section is provided inside of the re- 
cording/reproducing apparatus. 

[0023] In another embodiment of the present inven- 
ts tion, the second storage section is provided outside of 
the recording/reproducing apparatus. 
[0024] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
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ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, wherein the special information is the sys- 
tem key : every time the encrypted data is moved from 
the first storage section to the second storage section, 
the controller deletes the moved data from the object 
region, updates the management information; and de- 
letes from the encryption region the encrypted title key 
which is used for decrypting the moved data, and the 
controller updates the system key and encrypts the title 
key using the updated system key. 
[0025] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key and the management infor- 
mation which are encrypted using a system key, wherein 
the special information is the system key, the controller 
controls a movement of a predetermined amount of con- 
tent included in the encrypted data from the first storage 
section to the second storage section, the controller up- 
dates the system key every time the predetermined 
amount of content is moved from the first storage sec- 
tion to the second storage section, every time the pre- 
determined amount of content is moved from the first 
storage section to the second storage section, the con- 
troller deletes the moved predetermined amount of con- 
tent from the object region, updates the management 
information, and encrypts the title key and the updated 
management information using the updated system key, 
and when the amount of moved contents becomes 
equal to the predetermined unit data amount, the con- 
troller deletes from the encryption region the encrypted 
title key which is used for decrypting the data. 
[0026] In still another embodiment of the present in- 
vention, at the start-up of the recording/reproducing ap- 
paratus, the controller decrypts the management infor- 
mation using the system key, and overwrites the de- 
crypted management information in the management 
region. 

[0027] in still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing a content which is a part of the 
encrypted data and which is encrypted using a title key 
corresponding to thecontent; and a management region 
for storing management information of the encrypted 
content and correspondence information which repre- 
sents a correspondence between the encrypted content 
and the title key used for decrypting the encrypted con- 
tent, the correspondence being established by allocat- 
ing ID information to the encrypted content, wherein the 
special information includes the title key to which the ID 
information is allocated and which is encrypted using a 



system key, the controller controls a movement of the 
encrypted content from the first storage section to the 
second storage section, every time the encrypted con- 
tent is moved from the first storage section to the second 

5 storage section, the controller deletes the moved con- 
tent from the object region and updates the manage- 
ment information, and every time the encrypted content 
is moved from the first storage section to the second 
storage section, the controller deletes from the special 

10 information holding section the encrypted title key which 
has the same ID information as that allocated to the de- 
leted content, thereby updating the special information 
held in the special information holding section. 
[0028] In still another embodiment of the present in- 

15 vention, the special information further includes the sys- 
tem key; and the controller updates the system key at a 
predetermined time interval, and encrypts the title key 
using the updated system key thereby updating the 
special information held in the special information hold- 

20 ing section. 

[0029] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 

25 of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, the special information includes: a first 
check code which is calculated from the management 

30 information; and a second check code which :is calcu- 
lated from the encrypted title key, the controller controls 
a movement of a predetermined amount of content in- 
cluded in the encrypted data from the first storage sec- 
tion to the second storage section, every time the pre- 

35 determined amount of content is moved from the first 
storage section to the second storage section, the con- 
troller deletes from the object region the moved prede- 
termined amount of content, thereby updating the man- 
agement information, every time the predetermined 

40 amount of content is deleted from the first storage sec- 
tion, the controller updates the first check code held in 
the special information holding section by means of a 
calculation based on the updated management informa- 
tion, when the amount of moved contents becomes 

45 equal to the predetermined unit data amount, the con- 
troller deletes from the encryption region the encrypted 
title key which is used for decrypting the data, and every 
time the data is deleted, the controller updates the sec- 
ond check code held in the special information holding 

50 section by means of a calculation based on the encrypt- 
ed title key. 

[0030] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key, the controller updates the system key every 
55 time the predetermined amount of content is moved 
from the first storage section to the second storage sec- 
tion, and the controller encrypts the title key using the 
updated system key, thereby updating the encryption re- 
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gion. 

[0031] In still another embodiment of the present in- 
vention, the controller determines whether or not a first 
check code and a second check code, which are calcu- 
lated at the start-up of the recording/reproducing appa- 
ratus from the management information and the en- 
crypted title key, respectively, are identical to the first 
check code and the second check code held in the spe- 
cial information holding section. 

[0032] According to another aspect of the present in- 
vention, a recording/reproducing apparatus includes: a 
storage section for storing data structure information 
which includes encrypted data, the encrypted data in- 
cluding a content which is allowed to be stored for a pre- 
determined time period; a special information holding 
section for holding special information associated with 
the data structure information; and a controller for con- 
trolling the storage section and the special information 
holding section, wherein the data structure information 
and the special information are associated with each 
other such that the special information is updated in re- 
sponse to an update of the data structure information, 
or such that the data structure information is updated in 
response to an update of the special information, the 
controller controls deletion of the content from the stor- 
age section after a predetermined time period has 
elapsed, and the controller updates the special informa- 
tion held in the special information holding section such 
that a mismatch occurs between the special information 
obtained before the deletion of the content from the stor- 
age section and the special information obtained after 
the deletion of the content from the storage section. 
[0033] In one embodiment of the present invention, 
the data structure information includes: an object region 
for storing data which is encrypted using a title key cor- 
responding to a predetermined unit amount of data; a 
management region for storing management informa- 
tion of the encrypted data; and an encryption region for 
storing the title key which is encrypted using a system 
key, wherein the special information is the system key, 
the data is a content which can be stored for a prede- 
termined time period, every time the content is deleted 
from the storage section after a predetermined time pe- 
riod has elapsed, the controller updates the manage- 
ment information and the system key, and the controller 
deletes from the encryption region the encrypted title 
key used for decrypting the content, and encrypts the 
title key using the updated system key 
[0034] In another embodiment of the present inven- 
tion, the data structure information includes: an object 
region for storing data which is encrypted using a title 
key corresponding to a predetermined unit amount of 
data; a management region for storing management in- 
formation of the encrypted data; and an encryption re- 
gion for storing the title key and management informa- 
tion which are encrypted using a system key, wherein 
the special information is the system key, every time the 
content is deleted from the storage section after a pre- 



determined time period has elapsed, the controller up- 
dates the management information and the system key, 
the controller encrypts the title key and the updated 
management information using the updated system key, 
5 and when the amount of deleted contents becomes 
equal to the predetermined unit data amount, the con- 
troller deletes from the encryption region the encrypted 
title key which is used for decrypting the data. 
[0035] In still another embodiment of the present in- 
fo vention, the data structure information includes: an ob- 
ject region for storing a content which is a part of the 
encrypted data and which is encrypted using a title key 
corresponding to the content; and a management region 
for storing management information of the encrypted 
*5 content and correspondence information which repre- 
sents a correspondence between the encrypted content 
and the title key used for decrypting the encrypted con- 
tent, the correspondence being established by allocat- 
ing ID information to the encrypted content, wherein the 
20 special information includes the title key to which the ID 
information is allocated and which is encrypted using a 
system key, every time the encrypted content is deleted 
from the storage section after a predetermined time pe- 
riod has elapsed, the controller updates the manage- 
rs ment information, and every time the encrypted content 
is deleted from the storage section after a predeter- 
mined time period has elapsed, the controller deletes 
from the special information holding section the encrypt- 
ed title key which has the same ID information as that 
30 allocated to the deleted content, thereby updating the 
special information held in the special information hold- 
ing section. 

[0036] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
35 tern key, and the controller updates the system key at 
every predetermined time, and encrypts the title key us- 
ing the updated system key, thereby updating the spe- 
cial information held in the special information holding 
section. 

40 [0037] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 

45 information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, the special information includes: a first 
check code which is calculated from the management 
information; and a second check code which is calcu- 

50 lated from the encrypted title key, every time the prede- 
termined amount of content is deleted from the storage 
section after a predetermined time periodhas elapsed, 
the controller updates the management information, 
every time the management information is updated, the 

55 controller updates the first checkcode held in the special 
information holding section by means of a calculation 
based on the updated management information, when 
the amount of deleted content becomes equal to the pre- 
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determined unit data amount, the controller deletes from 
the encryption region the encrypted title key which is 
used for decrypting the data, thereby updating the en- 
cryption region, and the controller updates the second 
check code held in the special information holding sec- 
tion by means of a calculation based on the encrypted 
title key. 

[0038] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key, every time the predetermined amount of con- 
tent is deleted from the storage section after a predeter- 
mined time period has elapsed, the controller updates 
the system key, and every time the system key is updat- 
ed, the controller encrypts the title key using the updated 
system key, thereby updating the encryption region. 
[0039] According to still another aspect of the present 
invention, there is provided a method for moving data 
from a recording/reproducing apparatus, the recording/ 
reproducing apparatus including: a first storage section 
for storing data structure information which includes en- 
crypted data; a special information holding section for 
holding special information associated with the data 
structure information; and a controller for controlling the 
first storage section and the special information holding 
section, wherein the data structure information and the 
special information are associated with each other such 
that the special information is updated in response to an 
update of the data structure information, or such that the 
data structure information is updated in response to an 
update of the special information, the method compris- 
ing steps of: 

[0040] a) moving the encrypted data from the first 
storage section to a second storage section; and b) up- 
dating the special information held in the special infor- 
mation holding section every time step a) is completed 
such that a mismatch occurs between the special infor- 
mation obtained before step a) and the updated special 
information. 

[0041] In one embodiment of the present invention, 
the second storage section is provided inside of the re- 
cording/reproducing apparatus. 

[0042] In another embodiment of the present inven- 
tion, the second storage section is provided outside of 
the recording/reproducing apparatus. 
[0043] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, the special information is the system key, 
step b) includes steps of: b1) deleting the moved data 
from the object region and updating the management 
information: b2) deleting from the encryption region the 
encrypted title key which is used for decrypting the 
moved data; b3) updating the system key; and b4) en- 
crypting the title key using the updated system key. 



[0044] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
5 of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key and the management infor- 
mation which are encrypted using a system key, the spe- 
cial information is the system key, step a) includes a step 
w of moving a predetermined amount of content included 
in the encrypted data from the first storage section to 
the second storage section, and step b) includes steps 
of: b1) deleting the moved predetermined amount of 
content from the object region; b2) updating the man- 
's agement information; b3) updating the system key; and 
b4) encrypting the title key and the updated manage- 
ment information using the updated system key, the 
method further includes steps of: c) repeating steps a) 
and b) until the amount of the moved content becomes 
20 equal to the predetermined unit data amount; and d) 
when the amount of moved content becomes equal to 
the predetermined unit data amount, deleting from the 
encryption region the encrypted title key which is used 
for decrypting the data. 
25 [0045] In still another embodiment of the present in- 
vention, the method further includes steps of: e) acquir- 
ing the system key from the special information holding 
section; f) decrypting the management information 
stored in the encryption region using the system key; 
30 and g) overwriting the decrypted management informa- 
tion in the management region. 

[0046] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing a content which is a part of the 

35 encrypted data and which is encrypted using a title key 
corresponding to the content; and a management region 
for storing management information of the encrypted 
content and correspondence information which repre- 
sents a correspondence between the encrypted content 

40 and the title key used for decrypting the encrypted con- 
tent, the correspondence being established by allocat- 
ing ID information to the encrypted content, the special 
information includes the title key to which the ID infor- 
mation is allocated and which is encrypted using a sys- 

45 tern key, step a) includes a step of moving the encrypted 
content from the first storage section to the second stor- 
age section, and step b) includes steps of: b1 ) deleting 
the moved content from the object region; b2) updating 
the management information; and b3) deleting the en- 

so crypted title key which has the same ID information as 
that allocated to the content deleted at step b1). 
[0047] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key; and step b) further includes a step of updating 

55 the system key at every predetermined time and en- 
crypting the title key using the updated system key. 
[0048] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
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ject region for storing data which is encrypted using a 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, the special information includes: a first 
check code which is calculated from the management 
information; and a second check code which is calcu- 
lated from the encrypted title key, step a) includes a step 
of moving a predetermined amount of content included 
in the encrypted data from the first storage section to 
the second storage section, step b) includes steps of: 
b1) deleting the moved predetermined amount of con- 
tent from the object region b2) updating the manage- 
ment information; andb3) updating the first check code 
by means of a calculation based on the updated man- 
agement information, and the method further includes 
steps of: c) repeating steps a) and b) until the amount 
of the moved content becomes equal to the predeter- 
mined unit data amount; d) when the amount of moved 
content becomes equal to the predetermined unit data 
amount, deleting from the encryption region the encrypt- 
ed title key which is used for decrypting the data; and e) 
updating the second check code by means of a calcu- 
lation based on the encrypted title key. 
[0049] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key; and step b) further includes a step of updating 
the system key and encrypting the title key using the 
updated system key. 

[0050] In still another embodiment of the present in- 
vention, the method further includes steps of: f) calcu- 
lating the first check code from the management infor- 
mation; g) determining whether or not the first check 
code obtained at step f) is identical to the first check 
code held in the special information holding section; h) 
if the determination result of step g) indicates "not iden- 
tical", restricting the controller in controlling the first stor- 
age section, but if the determination result of step g) in- 
dicates "identical", calculating the second check code 
from the encrypted title key; i) determining whether or 
not the second check code obtained at step h) is iden- 
tical to the second check code held in the special infor- 
mation holding section; and j) if the determination result 
of step i) indicates "not identical", restricting the control- 
ler in controlling the first storage section, but if the de- 
termination result of step i) indicates "identical", allowing 
the controller to control the first storage section. 
[0051] According to still another aspect of the present 
invention, there is provided a method for deleting data 
from a recording/reproducing apparatus, the recording/ 
reproducing apparatus including: a storage section for 
storing data structure information which includes en- 
crypted data, the encrypted data including a content 
which is allowed to be stored for a predetermined time 
period; a special information holding section for holding 
special information associated with the data structure 
information; and a controller for controlling the storage 



section and the special information holding section, 
wherein the data structure information and the special 
information are associated with each other such that the 
special information is updated in response to an update 
5 of the data structure information, or such that the data 
structure information is updated in response to an up- 
date of the special information, the method comprising 
steps of: a) after a predetermined time period has 
elapsed, deleting the content from the storage section; 

10 and b) updating the special information held in the spe- 
cial information holding section every time step a) is 
completed such that a mismatch occurs between the 
special information obtained before step a) and the up- 
dated special information. 

is [0052] In one embodiment of the present invention, 
the data structure information includes: an object region 
for storing data which is encrypted using a title key cor- 
responding to a predetermined unit amount of data; a 
management region for storing management informa- 

20 tion of the encrypted data; and an encryption region for 
storing the title key which is encrypted using a system 
key, the special information is the system key, the data 
is a content which can be stored for a predetermined 
time period, step b) includes steps of: b1) updating the 

25 management information; b2) updating the system key; 
b3) deleting from the encryption region the encrypted 
title key which is used for decrypting the content; and 
b4) encrypting the title key again using the updated sys- 
tem key. 

30 [0053] In another embodiment of the present inven- 
tion, the data structure information includes: an object 
region for storing data which is encrypted using a title 
key corresponding to a predetermined unit amount of 
data; a management region for storing management in- 

35 formation of the encrypted data; and an encryption re- 
gion for storing the title key and the management infor- 
mation which are encrypted using a system key, the spe- 
cial information is the system key, step b) includes steps 
of: b1) updating the management information; b2) up- 

40 dating the system key; and b3) encrypting the title key 
and the updated management information using the up- 
dated system key, the method further includes, c) re- 
peating steps a) and b) until the amount of the deleted 
content becomes equal to the predetermined unit data 

45 amount; and d) when the amount of deleted content be- 
comes equal to the predetermined unit data amount, de- 
leting from the encryption region the encrypted title key 
which is used for decrypting the data. 
[0054] In still another embodiment of the present in- 

50 vention, the data structure information includes: an ob- 
ject region for storing a content which is a part of the 
encrypted data and which is encrypted using a title key 
corresponding to the content; and amanagement region 
for storing management information of the encrypted 

55 content and correspondence information which repre- 
sents a correspondence between the encrypted content 
and the title key used for decrypting the encrypted con- 
tent, the correspondence being established by ailocat- 
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ing ID information to the encrypted content, the special 
information includes the title key to which the ID infor- 
mation is allocated and which is encrypted using a sys- 
tem key, step b) includes steps of : b1 ) updating the man- 
agement information; and b2) deleting the encrypted ti- 5 
tie key which has the same ID information as that allo- 
cated to the deleted content. 

[0055] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key; and step b) further includes a step of updating 10 
the system key at every predetermined time and en- 
crypting the title key using the updated system key. 
[0056] In still another embodiment of the present in- 
vention, the data structure information includes: an ob- 
ject region for storing data which is encrypted using a 15 
title key corresponding to a predetermined unit amount 
of data; a management region for storing management 
information of the encrypted data; and an encryption re- 
gion for storing the title key which is encrypted using a 
system key, the special information includes: a first 20 
check code which is calculated from the management 
information; and a second check code which is calcu- 
lated from the encrypted title key, step b) includes steps 
of: b1) updating the management information; and b2) 
updating the first check code by means of a calculation 25 
based on the updated management information, and the 
method further includes steps of: c) repeating steps a) 
and b) until the amount of the deleted content becomes 
equal to the predetermined unit data amount; d) when 
the amount of deleted content becomes equal to the pre- 30 
determined unit data amount, deleting from the encryp- 
tion region the encrypted title key which is used for de- 
crypting the data; and e) updating the second check 
code by means of a calculation based on the encrypted 
title key. 35 
[0057] In still another embodiment of the present in- 
vention, the special information further includes the sys- 
tem key; and step b) further includes a step of updating 
the system key and encrypting the title key using the 
updated system key, thereby updating the encryption re- *o 
gion. 

[0058] Thus, the invention described herein makes 
possible the advantages of (1) preventing production of 
an illegal copy and invalidating illegally copied data; (2) 
preventing production of an illegal copy which may be *s 
committed by interrupting a data movement operation 
and invalidating illegally copied data which may be ob- 
tained by interrupting a data transfer operation; and (3) 
deleting data which is allowed to be stored for a prede- 
termined time period. 50 
[0059] These and other advantages of the present in- 
vention will become apparent to those skilled in the art 
upon reading and understanding the following detailed 
description with reference to the accompanying figures. 



BRIEF DESCRIPTION OF THE DRAWINGS 
[0060] 

Figure 1 shows a structure of a conventional video 
recording/reproducing apparatus. 

Figure 2 shows a structure of a conventional fixed 
storage device. 

Figure 3 illustrates a procedure for moving data 
from a fixed storage device to an information re- 
cording medium in the conventional video record- 
ing/reproducing apparatus of Figure 1 . 

Figure 4 shows the inside states of the fixed storage 
device and the information recording medium dur- 
ing a data movement operation. 

Figure 5 schematically shows a recording/repro- 
ducing apparatus of the present invention. 

Figure 6 shows data structure information before 
and after a data movement operation in the record- 
ing/reproducing apparatus of Figure 5. 

Figure 7 shows a structure of a recording/reproduc- 
ing apparatus of the present invention. 

Figure 8 shows data structure information where 
data (programs) P1 and P2 are stored in a hard disc. 

Figure 9 illustrates a procedure for moving data 
from a first storage section to a second storage sec- 
tion within the recording/reproducing apparatus of 
Figure 7. 

Figure 10 illustrates a procedure for deleting data 
from a first storage section of the recording/repro- 
ducing apparatus of the present invention. 

Figure 11 shows a structure of a recording/repro- 
ducing apparatus of the present invention, outside 
of which another storage section is provided. 

Figure 12 shows data structure information, where 
data (programs) P1 and P2 are stored in a fixed 
storage device. 

Figure 13 illustrates a procedure for moving data 
from a first storage section to a second storage sec- 
tion within a recording/reproducing apparatus of the 
present invention. 

Figure 14 illustrates a procedure for deleting data 
from a first storage section of a recording/reproduc- 
ing apparatus of the present invention. 
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Figure 15 shows a procedure for imposing a penalty 
on a fraudulent party. 

Figure 16 shows data structure information includ- 
ing data (program) P1 and P2, which is stored in a 5 
fixed storage device, and special information held 
in a special information holding section. 

Figure 17 illustrates a procedure for moving data 
from a first storage section to a second storage sec- 10 
iion within a recording/reproducing apparatus of the 
present invention. 

Figure 18 illustrates a procedure for deleting data 
from a first storage section of a recording/reproduc- 15 
ing apparatus of the present invention. 

Figure 19 shows data structure information includ- 
ing data (program) P1 and P2, which is stored in a 
fixed storage device, and special information held 20 
in a special information holding section. 

Figure 20 illustrates a procedure for moving data 
from a first storage section to a second storage sec- 
tion within a recording/reproducing apparatus of the 25 
present invention. 

Figure 21 illustrates a procedure for deleting data 
from a first storage section of a recording/reproduc- 
ing apparatus of the present invention. 30 

Figure 22 shows a procedure for imposing a penalty 
on a fraudulent party. 

DESCRIPTION OF THE PREFERRED 35 
EMBODIMENTS 

[0061] First, the principle of the present invention is 
described. As described above . an objective of the 
present invention is to prevent illegal copying and inval- *o 
idate illegally copied data. To this end, data is appropri- 
ately controlled before and after movement of data. In 
the present specification, "data" may be a predeter- 
mined unit amount of data, such as a music program 
including a moving image, a television progranrv music *s 
data, image data, etc. 

[0062] Figure 5 schematically shows a recording/re- 
producing apparatus 5000 of the present invention. In 
Figure 5, for clearly explaining the principle of the 
present invention, the components of an actual record- so 
ing/reproducing apparatus are shown in simplified 
forms. 

[0063] The recording/reproducing apparatus 5000 in- 
cludes: a first storage section 5001 ; a special informa- 
tion holding section 5002; and a controller (CPU: central 55 
processing unit) 5003. 

[0064] The first storage section 5001 encrypts exter- 
nally-input data and stores data structure information in- 
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eluding the encrypted data. The special information 
holding section 5002 holds special information which is 
associated with the data structure information. The con- 
troller 5003 controls the first storage section 5001 and 
the special information holding section 5002. A second 
storage section 5004 is externally connected to the re- 
cording/reproducing apparatus 5000 such that the sec- 
ond storage section 5004 is controlled by the controller 
5003. However, the second storage section 5004 may 
be incorporated in the record ing/reproducing apparatus 
5000. 

[0065] According to the above structure, the data 
structure information and the special information are 
stored separately, while the data structure information 
and the special information can be controlled so as to 
be associated with each other. As a result, the encrypted 
data of the data structure information cannot be solely 
encrypted. Therefore, the data structure information can 
be more securely stored. 

[0066] Figure 6 shows the data structure information 
and the special information before and after a data 
movement operation in the record ing/reproducing appa- 
ratus of Figures. In Figure 6, for simplicity of illustration, 
only the data structure information stored in the first stor- 
age section 5001 and the special information held in the 
special information holding section 5002) of the record- 
ing/reproducing apparatus 5000 are shown. 
[0067] At pre-movement state, i.e., State (I), the data 
structure information includes: a management region 
6001 for storing management information A, such as ad- 
dress, data size of stored data and use status of the first 
storage section; and an object region 6002 for storing 
encrypted data O. The encrypted data O includes data 
P1. The special information holding section 5002 holds 
special information S. The special information S is as- 
sociated with the management information A and/or the 
encrypted data O. 

[0068] After the data P1 in the object region 6002 has 
been moved to the second storage section 5004, the 
data P1 is deleted from the object region 6002, and the 
special information S is then updated to special infor- 
mation S\ In response to the update of the special in- 
formation S, data O is updated to data O', and the man- 
agement information A is updated to management in- 
formation A'. Alternatively, in response to the update of 
data O and the management information A, the special 
information S may be updated to special information S". 
[0069] When the controller 5003 controls the first stor- 
age section 5001 and the special information holding 
section 5002 in the above described manner, the special 
information held in the special information holding sec- 
tion 5002, which is obtained after the data movement 
operation, mismatches with (i.e., differs from) the spe- 
cial information held in the section 5002 which is ob- 
tained before the data movement operation. In such a 
case, even if the data structure information 6000 stored 
in the first storage section 5001 at the pre-movement 
state, i.e., State (I), is harbored into a personal computer 
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including a separate hard disk, or the like, and then re- 
turned to the first storage section 5001 at the post-move- 
ment state, i.e., State (ll) : the special information S, 
which is associated with the data structure information 
6000 )at State (I), is no longer present in the recording/ 
reproducing apparatus 5000 at State (II). As a result, the 
returned data of the data structure information 6000 is 
invalid at State (II). 

[0070] Hereinafter, embodiments of the present in- 
vention will be described with reference to the drawings. 
In the following sections of the present specification, an 
encryption operation is exemplified for describing the 
embodiments of the present invention. Data to be en- 
crypted (data x) and encrypted data (data x') has the 
following relationship: 

Ey(x) = x' (1) 



Dy(x') = Dy(Ey(x)) = x (2) 

where y represents a key used for encryption or decryp- 
tion. E(t) represents an encryption operation. D(t) rep- 
resents a decryption operation. Expression (1) means 
that data x is encrypted using key y so as to obtain data 
x\ Expression (2) means that the encrypted data x' is 
decrypted using key y so as to obtain data x. 

(Embodiment 1) 

[0071] Figure 7 shows a structure of a recording/re- 
producing apparatus 114 of the present invention. The 
recording/reproducing apparatus 114 includes: a first 
storage section 111; a special information holding sec- 
tion 110; a controller 105; an analog/digital input/output 
section 112; and a second storage section 113. 
[0072] The analog/digital input/output section 11 2 in- 
cludes an input section 100 and an output section 103. 
The input section 100 converts externally-input analog 
data into digitally compressed data. The output section 
103 converts the digitally compressed data into analog 
data. 

[0073] The first storage section 111 includes an en- 
cryption section 101 ; a temporary storage section 102; 
a decryption section 104; an input/output section 106; 
and a fixed storage device 107. 

[0074] If copy generation management information 
attached to data is free-content information, the encryp- 
tion section 101 does not perform an encryption proc- 
ess. If the copy generation management information is 
information indicating that production of a child copy 
(first generation copy) is permitted, or information that 
permits storage of data for a predetermined time period, 
the encryption section 1 01 changes the copy generation 
management information into copy prohibition informa- 
tion, and the data is encrypted and stored in the tempo- 
rary storage section 102. 



[0075] The temporary storage section 102 is a high 
speed memory, such as an SDRAM or the like. Since 
the above described sections work based on different 
data transfer rates, the temporary storage section 102 
5 is used as buffer means for buffering the transfer rate 
difference among the sections. 

[0076] The decryption section 104 decrypts the en- 
crypted data and outputs the decrypted data to the data 
output section 103. 
10 [0077] The input/output section 106 is a communica- 
tion control means, such as IDE, SCSI, or the like, which 
controls data transfer to/from the fixed storage device 
107, such as a hard disc. 

[0078] The special information holding section 110 
is holds special information which is associated with data 
stored in the fixed storage device 107. The special in- 
formation holding section 110 cannot be accessed by 
an external device which is present outside the record- 
ing/reproducing apparatus 114. 
20 [0079] The second storage section 113 includes a 
read/write section 108 and an information recording me- 
dium 109. The information recording medium 109 may 
be a portable optical disc, such as a DVD-RAM or the 
like, a hard disc, etc. The read/write section 108 writes 
25 data in and/or reads data from the information recording 
medium 109. 

[0080] The controller 105 controls the first storage 
section 111, the special information holding section 110, 
and the second storage section 113. The controller 1 05 
30 may be a central processing unit (CPU). 

[0081] Figure 8 shows data structure information 
where data (programs) P1 and P2 are stored. in a hard 
disc 200. 

[0082] Next, a recording operation of the recording/ 
35 reproducing apparatus 114 is described with reference 
to Figures 7 and 8. 

[0083] The input section 100 externally receives a 
predetermined amount of analog image unit data P1 (e. 
g., program P1), such as a broadcast wave or the like, 

40 and digitally compresses the analog image data P1 
based on MPEG. The compressed image data P1 is 
transferred to the encryption section 101. If the copy 
generation management information attached to the 
compressed image data P1 is the copy prohibition infor- 

45 mation, the encryption section 101 is controlled by the 
controller 105 so as to stop a recording operation. If the 
copy generation management information is information 
which permits making a first generation copy, or infor- 
mation that permits storage of data for a predetermined 

50 time period, the encryption section 101 changes the 
copy generation management information into copy pro- 
hibition information, and encrypts the compressed im- 
age data P1 using a title key Dk1 which includes infor- 
mation inherent to the fixed storage device 107 and 

55 which corresponds to the predetermined unit amount of 
data P1. The encrypted data (EDk1 (P1 )) is transferred 
to the temporary storage section 1 02. If copy generation 
management information is free-content information, 
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the encryption section 101 does not perform an encryp- 
tion process and transfers the compressed image data 
P1 as it is to the temporary storage section 102. In the 
following description, assume that the copy generation 
management information attached to the input data P1 5 
is information which permits making a first generation 
copy, or information that permits storage of data for a 
predetermined time period. The data EDk1(P1) stored 
in the temporary storage section 102 is moved to, and 
stored in, the fixed storage device 1 07 through the input/ 10 
output section 106. Specifically in this example, the en- 
crypted data EDk1 (P1 ) is stored in the fixed storage de- 
vice 1 07 as an encrypted program 206 within an object 
region 202 of data structure information 210. 
[0084] Management information, such as a data stor- 15 
age position which is used for reading the encrypted pro- 
gram 206 from the object region 202, a data size, and 
the use status of the fixed storage device 1 07, are stored 
in a management region 201 within the data structure 
information 210. 20 
[0085] The management region 201 includes a data 
management region 204 and a use status management 
region 205. The data management region 204 stores a 
data storage position and a data size. The use status 
management region 205 stores the use status of the ob- 2s 
ject region 202 (e.g., unused capacity of the object re- 
gion 202). The management information in the manage- 
ment region 201 is updated every time data comes to 
the object region 202 and is stored therein. 
[0086] The title key Dk1, which is necessary for de- 30 
crypting the encrypted program 206 in a reproduction 
operation, is encrypted using a system key Ds. The en- 
crypted title key EDs(Dkl) is stored in an encryption re- 
gion 203 within the data structure information 210. The 
system key Ds used for encrypting the title key Dk1 is 35 
stored in the special information holding section 110. 
[0087] When another data P2 is stored subsequently 
to the data P1 , the data P2 is encrypted using a title key 
Dk2 which corresponds to the data P2, and stored as 
the encrypted program EDk2(P2) in the object region 40 
202 where the data P1 has been stored. When the data 
P1 and P2 are stored in the object region 202, all of the 
data stored in the encryption region 203 (in this exam- 
ple, the encrypted title key EDs(Dkl)) are read out and 
decrypted using the system key Ds held in the special 45 
information holding section 110. After the decryption 
has been completed, the system key Ds is updated to 
system key Ds'. Then, the updated system key Ds' is 
used to encrypt the title keys Dk1 and Dk2. The encrypt- 
ed title keys EDs'(Dk1 ) and EDs'(Dk2) are stored in the so 
encryption region 203 again. 

[0088] A reproduction operation for reproducing data 
recorded in such a way is substantially the same as that 
described above with reference to Figure 1 , except that 
the special information held in the special information 55 
holding section 110 is used. Therefore, the description 
of the reproduction operation is herein omitted. 
[0089] As described above, a title key which is used 



for decrypting encrypted data stored in the fixed storage 
device 107 (the hard disc 200 in Figure 8) is encrypted 
by using a system key held in the special information 
holding section 110 which is separately provided from 
the fixed storage device 107. With such an arrange- 
ment, it is impossible to obtain reproducible data only 
with data stored in the fixed storage device 107. 

1. Data from which production of first generation 
copy is permitted 

[0090] Now, a case where data having data structure 
information shown in Figure 8 is moved from the first 
storage section 111 to the second storage section 113 
is described. Data described in this section is data from 
which production of a first generation copy is permitted. 
[0091 ] Figure 9 illustrates a procedure for moving da- 
ta from the first storage section 111 to the second stor- 
age section 113 within the recording/reproducing appa- 
ratus 1 1 4. In this example, assume that the fixed storage 
device 1 07 of the first storage section 1 1 1 is a hard disc 
200; the information recording medium 109 of the sec- 
ond storage section 113 is a DVD-RAM; the predeter- 
mined unit amount of data is the program P1 ; and the 
program P1 stored in the harddisc 200 as shown in Fig- 
ure 8 is moved to the DVD-RAM 109. The program P1 
is encrypted using the title key Dk1 and stored in the 
object region 202 in the hard disk 200. 

Step 300: 

[0092] Encrypted title keys EDs'(Dk1 , Dk2) are read 
out from the encryption region 203. 

Step 301 : 

[0093] The system key Ds' which is held in the special 
information holding section 110 is used to decrypt the 
encrypted title keys EDs'(Dk1, Dk2) so as to obtain a 
title key Dk1 . 

Step 302: 

[0094] Based on management information stored in 
the management region 201, the encrypted program 
EDk1(P1) is read from the hard disc 200 and stored in 
the temporary storage section 102. 

Step 303: 

[0095] The read program EDk1(P1) is decrypted us- 
ing the title key Dk1 obtained at step 301 (DDk1 (EDk1 
(P1))). 

Step 304: 

[0096] The decrypted program P1 is encrypted using 
a title key Dr which includes information inherent to the 
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DVD-RAM, in order to prevent illegal copying (EDr(P1))_ 
Step 305: 

[0097] The encrypted program EDr(P1) is recorded 
on the DVD-RAM 109. 

[0098] Through steps 300 to 305, the program P1 is 
moved to (recorded on) the DVD-RAM 109 from the 
fixed storage device 1 07. 

Step 306: 

[0099] Steps 302 to 305 are repeated until all the data 
of the program P1 is recorded on the DVD-RAM 109. 

Step 307: 

[0100] After all the data of the program P1 has been 
moved to the DVD-RAM 109, the program P1 is deleted 
from the object region 202 of the hard disc 107, and the 
management information (i.e., the management region 
204 and the use status management region 205) are 
updated. 

Step 308: 

[0101] The encrypted title key EDs'(Dkl), which was 
used for decrypting the program P1 , is deleted from the 
encryption region 203. 

Step 309: 

[0102] The system key Ds' held in the special infor- 
mation holding section 110 is updated to a system key 
Ds". 

Step 310: 

[0103] The updated system key Ds" is used to en- 
crypt the remaining title keys (EDs"(Dk2)), whereby the 
encryption region 203 is updated. 

[0104] Through steps 307 to 310, the program P1 is 
deleted from the hard disc 200, whereby the data move- 
ment from the hard disc 200 to the DVD-RAM 109 is 
completed. 

[0105] According to embodiment 1, a mismatch oc- 
curs between the special information (system key Ds') 
obtained before movement of data from the first storage 
section 111 to the second storage section 113 and the 
special information (system key Ds") obtained after 
movement of data from the first storage section 1 11 to 
the second storage section 113 (DsVDs"). Due to this 
mismatch, even if data is copied (harbored) into another 
hard disc before the data is moved from the first storage 
section 111 to the second storage section 113, and the 
harbored data is returned from the another hard disc to 
the first storage section 111 after the data has been 
moved from the first storage section 111 to the second 



storage section 113, special information which is nec- 
essary for decrypting the data is no longer present. 
Thus, production of a plurality of illegal copies can be 
prevented, and illegally copied data can be invalidated. 

5 

2. Data which is allowed to be stored for a 
predetermined time period. 

[01 06] Now, a case where data having data structure 
10 information shown in Figure 8 is deleted from the first 
storage section 111 is described. Data described in this 
section is data which is allowed to be stored for a pre- 
determined time period. 

[0107] Figure 10 illustrates a procedure for deleting 
15 data from the first storage section 11 1 of the recording/ 
reproducing apparatus of the present invention. In this 
example, assume that the fixed storage device 1 07 of 
the first storage section 111 is a hard disc 200; the pro- 
gram P1 (the predetermined unit amount of data) is con- 
20 tent which is allowed to be stored for a predetermined 
time period; and the program P1 stored in the hard disc 
200 as shown in Figure 8 is deleted from the hard disc 
200 after a predetermined time period has elapsed. The 
program P1 is encrypted using the title key Dk1 and 
25 stored in the object region 202 in the hard disk 200. 

Step 1001: 

[0108] After a predetermined time period has 
30 elapsed , content which is allowed to be stored for a pre- 
determined time period is deleted from the first storage 
section 111. 

Step 1002: 

35 

[0109] Management information is updated. 
Step 1003: 

40 [0110] A system key held in the special information 
holding section 110 is updated. 

Step 1004: 

45 [0111] An encrypted title key which is used for de- 
crypting the deleted content is deleted from the encryp- 
tion region 203. 

Step 1 005: 

50 

[0112] The system key Ds" updated at step 1003 is 
used to encrypt the remaining title keys in the encryption 
region 203 (in this example, Dk2). 

[0113] According to embodiment 1, a mismatch oc- 
55 curs between the special information (system key Ds') 
obtained before deletion of data from the first storage 
section 111 and the special information (system key 
Ds") obtained after deletion of data from the first storage 
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section 111 (Ds**Ds"). Due to this mismatch, even if 
data is copied (harbored) into another hard disc before 
the data is deleted from the first storage section 111, 
and the harbored data is returned from the another hard 
disc to the first storage section 111 after the data is de- 
leted from the first storage section 111, special informa- 
tion which is necessary for decrypting the data is no 
longer present. Thus, production of a plurality of illegal 
copies can be prevented, and illegally copied data can 
be invalidated. That is, the data which is allowed to be 
stored for a predetermined time period is deleted with 
certainty. 

[0114] The recording/reproducing apparatus of the 
present invention is not limited to the recording/repro- 
ducing apparatus 114 shown in Figure 1. 
[0115] Figure 11 shows a recording/reproducing ap- 
paratus 1520 of the present invention, outside of which 
another storage section is provided. 
[01 16] In this example, the recording/reproducing ap- 
paratus 1520 has substantially the same structure as 
that of the recording/reproducing apparatus 114 of Fig- 
ure 7, except that an external digital recording apparatus 
1540 is attached as another storage section to the re- 
cording/reproducing apparatus 1520. In Figure 11, like 
elements are indicated by like reference numerals used 
in Figure 7, and detailed descriptions thereof are omit- 
ted. 

[0117] An analog/digital input/output section 1511 in- 
cludes an input section 1500 and an output section 
1503. The input section 1500 converts analog data, 
which is input from the external digital recording appa- 
ratus 1 540 and/or input from an externa! device different 
from the external digital recording apparatus 1 540 (e.g., 
a television monitor), into digitally compressed data. 
The output section 1503 converts digitally compressed 
data into analog data, and moves the analog data from 
the first storage section 111 to the external digital re- 
cording apparatus 1540 and/or an external device dif- 
ferent from the external digital recording apparatus 
1540. 

[0118] The analog/digital input/output section 1511 
and the external digital recording apparatus 1540 are 
connected via a digital interface 1530, such as an 
IEEE1394orthelike. 

[0119] Also in the recording/reproducing apparatus 
1520 of Figure 11, as well as in the recording/reproduc- 
ing apparatus 1 14 of Figure 7, data can be moved from 
the first storage section 1 1 1 to the external digital re- 
cording apparatus 1540 while preventing illegal copy- 
ing. 

[0120] In another embodiment of the present inven- 
tion, although not shown, the digital recording apparatus 
1540 may be provided outside of the recording/repro- 
ducing apparatus 1 520 and used as a substitute for the 
second storage section 113 shown in Figures 7 and 1 1 . 
[0121] Hereinafter, embodiments 2-6 of the present 
invention are described. Each of embodiments 2-6 can 
be achieved using one of the recording/reproducing ap- 



paratuses shown in Figures 7 and 11. 

(Embodiment 2) 

5 [0122] Figure 12 shows data structure information 
where data (programs) P1 and P2 are stored in a fixed 
storage device 107. The data structure information in- 
cludes a management region 201 , an object region 202, 
and an encryption region 403. In Figure 12, like ele- 

*o ments are indicated by like reference numerals used in 
Figure 8, and detailed descriptions thereof are omitted. 
[0123] The data structure information shown in Figure 
12 is different from that shown in Figure 8, in that the 
encryption region 403 includes an encrypted title key re- 

*5 gjon 408 and an encryption management region 409. 
The encrypted title key region 408 stores a title key 
which is encrypted using a system key Ds' held in the 
special information holding section 110 and which is 
used for encrypting data P1 and P2. The encryption 

20 management region 409 stores management informa- 
tion which is encrypted using the system key Ds' held 
in the special information holding section 110 and which 
is stored in the management region 201 . The other com- 
ponents of the recording/reproducing apparatus of em- 

25 bodiment 2 are the same as those described in embod- 
iment 1, and detailed descriptions thereof are omitted. 
Further, recording and reproducing operations of the re- 
cording/reproducing apparatus of embodiment 2 are the 
same as those described in embodiment 1 , and detailed 

30 descriptions thereof are omitted. 

1. Data from which production of first generation 
copy is permitted 

35 [0124] Now, a case where data having data structure 
information shown in Figure 12 is moved from the first 
storage section 111 to the second storage section 113 
(see Figure 7 or 11) is described. Data described in this 
section is data from which production of a first genera- 
te tion copy is permitted. 

[0125] Figure 13 illustrates a procedure for moving 
data from the first storage section 111 to the second 
storage section 113 within the recording/reproducing 
apparatus of the present invention (see Figure 7 or 1 1 ). 
^5 in this example, assume that the fixed storage device 
107 of the first storage section 111 is a hard disc 400; 
the information recording medium 109 of the second 
storage section 113 is a DVD-RAM; the predetermined 
unit amount of data is the program P1 ; and the program 
50 pi stored in the hard disc 400 as shown in Figure 12 is 
moved to the DVD-RAM 109. The program P1 is en- 
crypted using the title key Dk1 and stored in the object 
region 202 in the hard disk 400. In embodiment 3, steps 
for writing in the DVD-RAM a predetermined amount of 
55 content included in the program P1 shown in Figure 13 
are the same as steps 300-305 shown in Figure 9.) 
Thus, description of these steps are not herein omitted. 
Note that the "predetermined amount of contents" may 
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be video data having the reproduction length of about 
three minutes, for example. 

Step 504: 

[0126] Steps 302 to 305 are repeated until all of the 
predetermined amount of content contained in the pro- 
gram P1 is moved to (recorded on) the DVD-RAM 109. 

Step 505: 

[0127] After all of the predetermined amount of con- 
tent contained in the program P1 has been moved to the 
DVD-RAM 109, the predetermined amount of content 
contained in the program PI is deleted from the object 
region 202 of the hard disc 400. 

Step 506: 

[0128] The management information (i.e., the man- 
agement region 204 and the use status management 
region 205) are updated. 

Step 507: 

[0129] The system key Ds* held in the special infor- 
mation holding section 110 is updated to a system key 
Ds" . 

Step 508: 

[0130] The updated system key Ds" is used to en- 
crypt the titlekeys Dk1 and Dk2 and the updated man- 
agement information, whereby the encryption region 
403 is updated. 

Step 509: 

[0131] Steps 302 to 305 and steps 504-508 are re- 
peated until the data amount of the moved content be- 
comes equal to a predetermined unit data amount. 

Step 510: 

[0132] When the data amount of the moved content 
becomes equal to the amount of the program P1 (the 
predetermined unit data amount), the encrypted title key 
EDs n (Dk1), which was used for decrypting the program 
P1, is deleted from the encryption region 403. 
[0133] Through steps 300 to 305 and steps 504-51 0, 
the program P1 is moved to (recorded on) the 
DVD-RAM 1 09 from the hard disc 400, and the program 
P1 is deleted from the hard disc 400, whereby the data 
movement from the hard disc 400 to the DVD- RAM 1 09 
is completed. 

[0134] According to embodiment 2, a mismatch oc- 
curs between the special information (system key Ds") 
obtained before movement of the predetermined 



amount of content among the predetermined unit 
amount of data from the first storage section 111 to the 
second storage section 113 and the special information 
(system key Ds") obtained after movement of the pre- 

5 determined amount of content among the predeter- 
mined unit amount of data from the first storage section 
111 to the second storage section 113 (Ds'*Ds"). Fur- 
ther, the system key is updated every time a predeter- 
mined amount of content are moved from the first stor- 

10 age section 111 to the second storage section 113, and 
the updated system key is used to encrypt the title key 
and the management region. With such arrangements, 
the data can be controlled by units of a smaller amount 
of data. Therefore, illegal copying of a smaller amount 

15 of data can be prevented. 

[0135] Furthermore, even if data movement is inter- 
rupted by disconnecting the power supply to the record- 
ing/reproducing apparatus before completion of data 
movement from the first storage section 1 1 1 to the sec- 

20 ond storage section 113, the data deleted from the first 
storage section 111 cannot be restored because the 
management information associated with the data 
which has already been moved to the second storage 
section 113 and deleted from the first storage section 

25 111 cannot be obtained. 

[0136] According to the present invention, if the spe- 
cial information holding section 110 has a sufficient ca- 
pacity for holding a large amount of data, the data which 
was stored in the encryption region 403 in the above 

30 example may be stored in the special information hold- 
ing section 1 10. In such a case, the data is secretly kept 
within the recording/reproducing apparatus, so that the 
security against illegal data processing can be im- 
proved. 

35 

2. Data which is allowed to be stored for a 
predetermined time period. 

[0137] Now, a case where data having data structure 

40 information shown in Figure 12 is deleted from the first 
storage section 111 (see Figure 7 or 11) is described. 
Data described in this section is data which is allowed 
to be stored for a predetermined time period. 
[0138] Figure 14 illustrates a procedure for deleting 

45 data from the first storage section 1 1 1 of the recording/ 
reproducing apparatus of the present invention (see Fig- 
ure 7 or 1 1 ). In this example, assume that the fixed stor- 
age device 1 07 of the first storage section 111 is a hard 
disc 400; the predetermined unit amount of data is the 

so program P1 ; and the program P1 stored in the hard disc 
400 as shown in Figure 12 is deleted from the hard disc 
400 after a predetermined time period has elapsed. The 
program P1 includes a plurality of contents which can 
be stored for a predetermined time period. Steps 

55 1001-1003 shown in Figure 14 are the same as Steps 
1001-1003 of Figure 10. a Therefore, descriptions of 
these steps are herein omitted. 
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Step 1401: 

[0139] The system key Ds" updated at step 1003 is 
used to encrypt the title keys Dk1 and Dk2 and the up- 
dated management information, whereby the encryp- 
tion region 403 is updated. 

Step 1402: 

[0140] Steps 1001-1401 are repeated until the 
amount of the deleted contents becomes equal to the 
predetermined unit data amount, i.e., the data amount 
of the program P1. 

Step 1403: 

[0141] When the amount of the deleted contents be- 
comes equal to the predetermined unit data amount, i. 
e., the data amount of the program P1, the encrypted 
title key EDs"(Dk1 ) which is used for decrypting the pro- 
gram P1 is deleted from the encryption region 403. 
[0142] According to embodiment 2, a mismatch oc- 
curs between the special information (system key Ds') 
obtained before deletion of a predetermined amount of 
content from the first storage section 111 and the special 
information (system key Ds") obtained after deletion of 
a predetermined amount of content from the first storage 
section 111 (DsVDs tt ). Due to this mismatch, even if a 
predetermined amount of content is copied (harbored) 
into another hard disc before the predetermined amount 
of content is deleted from the first storage section 111, 
and the harbored content is returned from the another 
hard disc to the first storage section 111 after a prede- 
termined time period has elapsed and the predeter- 
mined amount of content is deleted from the first storage 
section 111, special information which is necessary for 
decrypting the predetermined amount of content is no 
longer present. Thus, production of a plurality of illegal 
copies can be prevented, and illegally copied data can 
be invalidated. That is, the data which is allowed to be 
stored for a predetermined time period can be surely de- 
leted. Furthermore, since the predetermined amount of 
contents is smaller than the predetermined unit data 
amount, the security against illegal data processing is 
higher in embodiment 2 than in embodiment 1. 

(Embodiment 3) 

[0143] Figure 15 shows a procedure for imposing a 
penalty on a fraudulent party. Embodiment 3 is realized 
in the recording/reproducing apparatus (for example, 
the recording/reproducing apparatus 114 (Figure 7) or 
the recording/reproducing apparatus 1520 (Figure 11)) 
which records/reproduces data having the data struc- 
ture information according to embodiment 2 (shown in 
Figure 12). In embodiment 3, the fixed storage device 
1 07 of the first storage section 1 1 1 is the hard disc 400 
of Figure 1 2. The hard disc 400 includes the data struc- 



ture information as shown in Figure 12. 
[0144] Hereinafter, steps of the procedure for impos- 
ing a penalty on a fraudulent party are described with 
reference to Figure 15. 

5 

Step 600: 

[0145] The system key Ds" is acquired from the spe- 
cial information holding section 110 immediately after 
10 the start-up of the recording/reproducing apparatus. 

Step 601: 

[0146] The system key Ds u is used to decrypt the en- 
15 crypted management information stored in the encryp- 
tion management region 409 within the encryption re- 
gion 403. 

Step 602: 

20 

[0147] The decrypted management information is 
written in the management region 201 , and the manage- 
ment region 201 is updated. 

[0148] In the arrangement of embodiment 3, assume 

25 that a fraudulent party illegally copies data structure in- 
formation associated with the system key Ds* into an- 
other hard disc before a data movement operation and 
returns the data structure information to the hard disc 
400 in the recording/reproducing apparatus after the da- 

30 ta movement operation. Encrypted management infor- 
mation in the encryption region 403 is decrypted using 
an updated system key Ds", which is different from a 
system key Ds' that was used for encrypting the man- 
agement information, whereby the management region 

35 201 is updated. As a result, the encrypted management 
information is decrypted using the updated system key 
Ds" which is irrelevant thereto, so that the management 
region 201 is broken. Accordingly, the fraudulent party 
has to restore the management region 201 by formatting 

io the hard disc 400 or a like measure. That is, such a pen- 
alty is imposed on the fraudulent party. 
[0149] Alternatively, assume that, after a predeter- 
mined amount of content included in a predetermined 
unit amount of data has been deleted, a fraudulent party 

4 5 restores the deleted predetermined amount of content 
so as to obtain a predetermined unit amount of data. 
Since, according to embodiment 3, the encryption re- 
gion 403 including the management information is up- 
dated every time a predetermined amount of content is 

50 moved, the management information not indicating that 
the predetermined amount of content deleted therefrom 
is overwritten in the management region 201 by per- 
forming steps 600-602 at the start-up of the recording/ 
reproducing apparatus. As a result, restoration of the 

55 deleted predetermined amount of content can be pre- 
vented. 
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(Embodiment 4) 

[0150] Figure 16 shows data structure information in- 
cluding data (program) P1 and P2, which is stored in the 
fixed storage device 107 (see Figure 7 or 11), and spe- 
cial information held in the special information holding 
section 110. Embodiment 4 differs from embodiments 
1-3 in that a plurality of title keys are used to encrypt a 
predetermined unit amount of data, and the title keys 
and identification (ID) information allocated thereto are 
held in the special information holding section 110. The 
other details of recording and reproducing operations of 
the recording/reproducing apparatus according to em- 
bodiment 4 are the same as those of embodiment 1 , and 
therefore are not herein described. 
[0151] The data structure information includes a man- 
agement region 703 and an object region 704. 
[0152] The object region 704 stores encrypted data 
(for example, programs P1 and P2). The program P1 
includes a plurality of contents (for example, P1 -1 , P1 -2, 
and P1-3). Different keys are used for encrypting the re- 
spective contents. 

[0153] The management region 703 stores a data 
management region 705 and a correspondence infor- 
mation management region 706. The data management 
region 705 stores a data storage position and a data 
size. The correspondence information management re- 
gion 706 stores correspondence information 709 which 
represents the correspondence between encrypted 
contents and title keys used for encrypting the encrypted 
contents. The correspondence is established by allocat- 
ing ID information to each of the encrypted contents. 
Every time a content is encrypted, ID information is al- 
located to the encrypted content for identifying the en- 
crypted content. 

[0154] The special information holding section 110 
holds a system key 711, and a title key 701 which is 
encrypted using the system key 711 and which has ID 
information. The system key 711 is updated by the con- 
troller 1 05 at a predetermined time interval (for example, 
every 3 minutes). The updated system key 711 is then 
used to encrypt the title key 701 . When a new ID infor- 
mation is given to the correspondence information 709, 
the new ID information is allocated to the encrypted title 
key 701 , and the encrypted title key 701 with the ID in- 
formation is stored in the special information holding 
section 110. 

[0155] In embodiment 4, as described above, a title 
key, which is used for decrypting encrypted data stored 
in the fixed storage device 107, is stored in the special 
information holding section 110, which is provided sep- 
arately from the fixed storage device 107. With such an 
arrangement, it is impossible to obtain reproducible data 
only from the data stored in the fixed storage device 1 07. 
Thus, a higher level of protection can be achieved as 
compared to embodiments 1-3. 



1. Data from which production of first generation 
copy is permitted 

[0156] Now, a case where data having data structure 

5 information shown in Figure 16 is moved from the first 
storage section 111 to the second storage section 113 
(see Figure 7 or 1 1 ) is described. Data described in this 
section is data from which production of a first genera- 
tion copy is permitted. 

10 [0157] Figure 17 illustrates a procedure for moving 
data from the first storage section 111 -to the second 
storage section 113 within the recording/reproducing 
apparatus of the present invention (see Figure 7 or 1 1 ). 
In this example, assume that the fixed storage device 

15 107 of the first storage section 111 is a hard disc 702; 
the information recording medium 109 of the second 
storage section 113 is a DVD-RAM; the predetermined 
unit amount of data is the program P1 ; and the program 
P1 stored in the hard disc 702 as shown in Figure 16 is 

20 moved to the DVD-RAM 109. The program P1 is en- 
crypted using the title keys Dk1 to Dk3 and stored in the 
object region 704 in the hard disk 702. 

Step 800: 

25 

[0158] The correspondence information 709 is read 
from the correspondence information management re- 
gion 706 within the management region 703. 

30 Step 801 : 

[0159] ID information (e.g., ID1, ID2, ID3) allocated to 
respective contents of the program P1 to be moved (e. 
g. f EDk1(P1-1), EDk2(P1-2), EDk3(P1-3)) are ac- 

35 quired. 

Step 802: 

[0160] Thecontentto be moved, EDk1(P1-1), is read 
40 from the object region 704 and stored in the temporary 
storage section 102. 

Step 803: 

45 [0161] The encrypted title key (EDs(Dk1 )), to which 
the ID information ID1 obtained at step 801 is allocated, 
is decrypted using the system key Ds held in the special 
information holding section 110. The encrypted content 
EDk1(P1-1) is decrypted using the decrypted title key 

so Dk1 (DDk1(EDk1(P1-1))). 

Step 804: 

[01 62] The decrypted content P1 -1 is encrypted using 
55 a title key Dr, which includes information inherent to a 
DVD-RAM, for the purpose of preventing illegal copying 
(EDr(P1-1)). 
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Step 805: 

[0163] The encrypted content EDr(P1-1) is recorded 
in the DVD-RAM 109. 

[0164] Through steps 800-805, the content P1-1 is 5 
moved to (recorded in) the DVD-RAM 109 from the hard 
disc 702. 

Step 806: 

10 

[01 65] Steps 801 -805 are repeated until all of the con- 
tents included in the program P1 (i.e., the remaining 
contents P1-2 and P1-3) are moved into the DVD-RAM 
109. 

15 

Step 807: 

[01 66] After all of the contents included in the program 
P1 have been moved into the DVD-RAM 109, the con- 
tents P1-1, P1-2 and P1-3 are deleted from the object 20 
region 704 of the hard disc 702. 

Step 808: 

[0167] The data management region 705 is updated 25 
in response to deletion of the program P1 . The !D infor- 
mation (ID1 , ID2, ID3 ) allocated to the deleted program 
P1 are deleted, whereby the correspondence informa- 
tion management region 706 is updated. 

30 

Step 809: 

[0168] The encrypted title keys with ID information 
(ID1-EDs(Dk1), ID2-EDs(Dk2), ID3-EDs(Dk3)), which 
are held in the special information holding section 110 35 
and which are used for decrypting the program P1, are 
deleted. 

[0169] Through steps 807-809 : the program P1 is de- 
leted from the hard disc 702, whereby movement of the 
program P1 from the hard disc 702 to the DVD-RAM 1 09 40 
is completed. 

[0170] According to embodiment 4, a mismatch oc- 
curs between the special information obtained before 
movement of data from the first storage section 111 to 
the second storage section 113 and the special infor- 45 
mation obtained after movement of data from the first 
storage section 111 to the second storage section 113. 
Further, after movement of data from the first storage 
section 111 to the second storage section 113 is com- 
pleted, a title key used for decrypting the data is deleted, so 
Due to such arrangements, even if data is copied (har- 
bored) into another hard disc before the data is moved 
from the first storage section 111, and the harbored data 
is returned from the another hard disc to the hard disc 
702 after movement of the data has been completed, ID 55 
information allocated to that data is not present in the 
special information holding section 110. As a result, the 
harbored data becomes invalid data, whereby illegal 



copying can be prevented. 

[0171] It should be noted that steps 801-809 may be 
alternatively performed for each content, rather than 
each program. In such a case, copying of a smaller 
amount of data can be prevented. 

2. Data which is allowed to be stored for a 
predetermined time period. 

[0172] Now, a case where data having data structure 
information shown in Figure 16 is deleted from the first 
storage section 111 (see Figure 7 or 11) is described. 
Data described in this section is data which is allowed 
to be stored for a predetermined time period. 
[0173] Figure 18 illustrates a procedure for deleting 
data from the first storage section 111 of the recording/ 
reproducing apparatus of the present invention (see Fig- 
ure 7 or 1 1). In this example, assume that the fixed stor- 
age device 1 07 of the first storage section 111 is a hard 
disc 702 (Figure 16); the predetermined unit amount of 
data is the program P1; and the program P1 stored in 
the hard disc 702 as shown in Figure 16 is deleted from 
the hard disc 702 after a predetermined time period has 
elapsed. The program P1 includes a plurality of contents 
(P1-1, P1-2, P1-3) which can be stored for a predeter- 
mined time period. Step 1001 shown in Figure 18 is the 
same as Step 1001 of Figure 10, and therefore, descrip- 
tions of this step is herein omitted. 

Step 1801: 

[0174] The data management region 705 is updated 
in response to deletion of a content. The ID information 
allocated to the deleted content are also deleted, where- 
by the correspondence information management region 
706 is updated. 

Step 1 802: 

[0175] The encrypted title keys having the ID informa- 
tion, which is the same as that allocated to the deleted 
content, is deleted. 

[0176] According to embodiment 4, a mismatch oc- 
curs between the special information obtained before 
deletion of data from the first storage section 111 and 
the special information obtained after deletion of the da- 
ta from the first storage section 111. Due to this mis- 
match, even if data is copied (harbored) into another 
hard disc before the data is deleted from the first storage 
section 111, and the harbored data is returned from the 
another hard disc to the first storage section 111 after a 
predetermined time period has elapsed and the data is 
deleted from the first storage section 111, special infor- 
mation which is necessary for decrypting the data is no 
longer present. Thus, production of a plurality of illegal 
copies can be prevented, and illegally copied data be- 
comes useless data. 

[0177] In embodiment 4, the system key 711 held in 
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the special information holding section 110 is updated 
by the controller 105 at a predetermined time interval. 
However according to the present invention, the system 
key 711 may not be updated. In this case, the same ef- 
fect as those described above can be achieved without 
performing re-encryption/re-decryption of a title key, 
which is performed in response to an update of the sys- 
tem key. In embodiment 4, when a predetermined unit 
amount of data (e.g., a single program), or a predeter- 
mined amount of content included in the predetermined 
unit amount of data, is moved/deleted, an encrypted title 
key which has the same ID information as that allocated 
to the moved/deleted data (or content) is deleted from 
the special information holding section 110. With such 
an arrangement, it is impossible to restore an encrypted 
title key having the same ID information as that allocated 
to data that was illegally copied before movement/dele- 
tion of the data. 

(Embodiment 5) 

[0178] Figure 19 shows data structure information in- 
cluding data (program) P1 and P2, which is stored in the 
fixed storage device 107 (see Figure 7 or 11), and spe- 
cial information held in the special information holding 
section 110. 

[0179] The special information holding section 110 
shown in Figure 19 includes a check code region 1201 
and a system key 1212. The check code region 1201 
includes a first check code SO and a second check code 
S1. The first check code SO is a value obtained by 
means of calculation based on management informa- 
tion in the management region 201 using a one-way 
function (e.g., a hash function). Similarly, the second 
check code S1 is a value obtained by means of calcu- 
lation based on an encrypted title key in the encryption 
region 203. The data structure information 210 stored 
in the hard disk 200 of embodiment 5 has the same 
structure as that of the data structure information 210 of 
embodiment 1. 

[0180] Embodiment 5 is the same as embodiment 1 
except that the special information holding section 110 
includes the check code region 1201 . Every time a pre- 
determined unit amount of data (e.g., program P1) 
comes to the fixed storage device 107 (e.g., hard disc 
200) and is stored therein, the first check code SO and 
the second check code S1 held in the check code region 
1201 are updated by means of calculations based on 
the management information and the encrypted title key, 
respectively. The other details of recording and repro- 
ducing operations of the recording/reproducing appara- 
tus according to embodiment 5 are the same as those 
of embodiment 1 , and therefore are not described here- 
in. 

[0181] In embodiment 5, as described above, a title 
key used for decrypting an encrypted data stored in the 
fixed storage device 1 07 is encrypted by using a system 
key held in the special information holding section 110, 



which is provided separately from the fixed storage de- 
vice 107. With such an arrangement, it is impossible to 
obtain reproducible data only from the data stored in the 
fixed storage device 107. Further, the first check code 

5 SO and the second check code S1 held in the special 
information holding section 110 are calculated from the 
management information in the management region 
201 and the encrypted title key in the encryption region 
203, respectively. In normal operation, the first check 

10 code SO held in the special information holding section 
1 1 0 and the first check code SO calculated from the man- 
agement information always have the same value. Sim- 
ilarly, the second check code S1 held in the special in- 
formation holding section 110 and the second check 

15 code S1 calculated from the encrypted title key always 
have the same value. Thus, validity of data can be 
checked by determining whether or not the first check 
code SO held in the special information holding section 
110 and the first check code SO calculated from the 

20 management information always have the same value, 
or whether or not the second check code S1 held in the 
special information holding section 110 and the second 
check code S1 calculated from the encrypted title key 
always have the same value. 

25 

1. Data from which production of first generation 
copy is permitted 

[0182] Now, a case where data having data structure 

30 information shown in Figure 19 is moved from the first 
storage section 111 to the second storage section 113 
(see Figure 7 or 11) is described. Data described in this 
section is data from which production of a first genera- 
tion copy is permitted. 

35 [0183] Figure 20 illustrates a procedure for moving 
data from the first storage section 111 to the second 
storage section 113 within the recording/reproducing 
apparatus of the present invention (see Figure 7 or 1 1). 
In this example, assume that the fixed storage device 

40 107 of the first storage section 111 is a hard disc 200; 
the information recording medium 109 of the second 
storage section 113 is a DVD-RAM; the predetermined 
unit amount of data is the program P1 ; and the program 
PI stored in the hard disc 200 as shown in Figure 19 is 

45 moved from the hard disc 200 to the DVD-RAM 109. 
The program P1 is encrypted using the title key Dk1 and 
stored in the object region 202 in the hard disk 200. In 
embodiment 5, steps for deleting from the hard disk 200 
a predetermined amount of content included in the pro- 

50 gram P1 and updating the system key shown in Figure 
20 (steps 300-305 and 504-507 of Figure 20) are the 
same as steps 300-305 and 504-507 shown in Figure 
1 3. Thus, description of these steps are not herein omit- 
ted. Note that the "predetermined amount of content" 

55 may be video data having the reproduction length of 
about three minutes, for example. 



19 



BNSDOCID: <EP 12A9836A1 J_> 



37 



EP 1 249 836 A1 



38 



Step 1301: 

[01 84] The updated system key is used to encrypt the 
title key, whereby the encryption region is updated. 

Step 1302: 

[0185] By means of a calculation based on the man- 
agement information stored in the management region 
201 , the first check code SO held in the special informa- 
tion holding section 110 is updated. 

Step 1303: 

[0186] Steps 302 to 305, 504-507, and 1301 -1302 are 
repeated until the data amount of the moved content be- 
comes equal to a predetermined unit amount of data 
(program P1). 

Step 1304: 

[0187] When the data amount of the moved content 
becomes equal to the amount of the program P1 (the 
predetermined unit data amount), the encrypted title 
key, which was used for decrypting the program P1 , is 
deleted from the encryption region 203, whereby the en- 
cryption region 203 is updated. 

Step 1305: 

30 

[0188] By means of a calculation based on the en- 
crypted title key, the second check code S1 held in the 
special information holding section 110 is updated. 
[0189] According to embodiment 5, a mismatch oc- 
curs between the special information (system key Ds' 35 
and first or second check code) obtained before move- 
ment of the predetermined amount of content among the 
predetermined unit amount of data from the first storage 
section 111 to the second storage section 113 and the 
special information (system key Ds" and first or second 40 
check code) obtained after movement of the predeter- 
mined amount of content among the predetermined unit 
amount of data from the first storage section 1 1 1 to the 
second storage section 113. Further, the first check 
code SO or the second check code S1 is updated by 45 
means of a calculation based on the management infor- 
mation stored in the management region 201, or a cal- 
culation based on the encrypted title key every time the 
predetermine amount of content is moved from the first 
storage section 1 1 1 to the second storage section 113. 50 
In embodiment 5, in the case where a fraudulent party 
interrupts data movement by disconnecting the power 
supply to the recording/reproducing apparatus in order 
to restore the data which has been deleted from the first 
storage section 1 1 1 , the first check code SO or the sec- 55 
ond check code S1 held in the special information hold- 
ing section 110 does not match with the value of the first 
check code SO or the second check code S1 which is 



calculated from the data structure information 210. Due 
to such check codes, an illegal activity committed by a 
fraudulent party can be readily detected. 

2. Data which is allowed to be stored for a 
predetermined time period. 

[0190] Now, a case where data having data structure 
information shown in Figure 19 is deleted from the first 
storage section 111 (see Figure 7 or 11) is described. 
Data described in this section is data which is allowed 
to be stored for a predetermined time period. 
[0191] Figure 21 illustrates a procedure for deleting 
data from the first storage section 111 of the recording/ 
reproducing apparatus of the present invention (see Fig- 
ure 7 or 1 1 ). In this example, assume that the fixed stor- 
age device 1 07 of the first storage section 111 is a hard 
disc 200 (Figure 19); the predetermined unit amount of 
data is the program P1; and the program P1 stored in 
the hard disc 200 as shown in Figure 19 is deleted from 
the hard disc 200 after a predetermined time period has 
elapsed. The program P1 includes a plurality of contents 
which can be stored for a predetermined time period. 
Steps 1001-1003 shown in Figure 21 are the same as 
steps 1001-1003 of Figure 10, and therefore, descrip- 
tions of these steps are herein omitted. 

Step 1601: 

[0192] The system key Ds" updated at step 1003 is 
used to encrypt the title keys Dk1 and Dk2. whereby the 
encryption region 203 is updated. 

Step 1 602: 

[0193] By means of a calculation based on the man- 
agement information stored in the management region 
201 , the first check code SO held in the special informa- 
tion holding section 110 is updated. 

Step 1603: 

[0194] Steps 1001-1003 and 1601 and 1602 are re- 
peated until the amount of the deleted contents be- 
comes equal to the predetermined unit data amount, i. 
e., the data amount of the program P1 . 

Step 1 604: 

[0195] When the amount of the deleted contents be- 
comes equal to the predetermined unit data amount, i. 
e., the data amount of the program P1, the encrypted 
title key EDs "(Dk1 ) which is used for decrypting the pro- 
gram P1 is deleted from the encryption region 203, 
whereby the encryption region 203 is updated. 
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Step 1605: 

[0196] By means of a calculation based on the en- 
crypted title key, the second check code S1 held in the 
special information holding section 110 is updated. 5 
[0197] According to embodiment 5, a mismatch oc- 
curs between the special information (system key Ds' 
and first or second check code) obtained before deletion 
of the predetermined amount of content among the pre- 
determined unit amount of data from the first storage 10 
section 111 and the special information (system key Ds" 
and first or second check code) obtained after deletion 
of the predetermined amount of content among the pre- 
determined unit amount of data from the first storage 
section 111. Due to this mismatch, even if data is copied 15 
(harbored) into another hard disc before the data is de- 
leted from the first storage section 111, and the har- 
bored data is returned from the another hard disc to the 
first storage section 111 after a predetermined time pe- 
riod has elapsed and the data is deleted from the first 20 
storage section 111, special information which is nec- 
essary for decrypting the data is no longer present. 
Thus, production of a plurality of illegal copies can be 
prevented, and illegally copied data becomes useless 
data. 

[0198] Furthermore, in such a case the first check 
code SO or the second check code S1 held in the special 
information holding section 110 does not match with the 
value of the first check code SO or the second check 
code S1 which is calculated from the data structure in- 
formation 210. Thus., an illegal activity committed by a 
fraudulent party can be readily detected. 
[0199] In embodiment 5, the system key 1212 held in 
the special information holding section 110 is updated 
by the controller 105 every time a predetermined 
amount of content are deleted. However, according to 
the present invention, the system key 711 may not be 
updated. That is, steps 507 and 1301 of Figure 20 and 
steps 1003 and 1601 of Figure 21 can be omitted. In this 
case, the same effect as those described above can be 
achieved without performing re- encryption/re -decryp- 
tion of a title key, which is performed in response to an 
update of the system key 

[0200] According to embodiment 5, a mismatch oc- 
curs between the special information (first or second 
check code) obtained before movement/deletion of the 
predetermined amount of content among the predeter- 
mined unit amount of data from the first storage section 
111 and the special information (first or second check 
code) obtained after movement/deletion of the prede- 
termined amount of content among the predetermined 
unit amount of data from the first storage section 111. 
Further, if illegal copying is conducted by a fraudulent 
party the first check code SO or the second check code 
S1 held in the special information holding section 110 is 
not identical to the value of the first check code SO or 
the second check code S1 which is calculated from the 
data structure information 210. Thus, an illegal activity 



committed by a fraudulent party can be readily detected 
by simply determining whether the first or second check 
codes obtained before and after the data movement or 
deletion operation are identical or not. 

(Embodiment 6) 

[0201] Figure 22 shows a procedure for imposing a 
penalty on a fraudulent party. Embodiment 6 is realized 
in the recording/reproducing apparatus (for example, 
the recording/reproducing apparatus 114 (Figure 7) or 
the recording/reproducing apparatus 1520 (Figure 11)) 
which records/reproduces data having the data struc- 
ture information according to embodiment 5 (shown in 
Figure 19). In embodiment 6, the fixed storage device 
107 of the first storage section 111 is the hard disc 200 
of Figure 19. The hard disc 200 includes the data struc- 
ture information as shown in Figure 19. 
[0202] Hereinafter, steps of the procedure for impos- 
ing a penalty on a fraudulent parry are described with 
reference to Figure 22. 

Step 1701: 

[0203] The value of the first check code SO is calcu- 
lated from the management information of the manage- 
ment region 201 immediately after the start-up of the re- 
cording/reproducing apparatus. 

Step 1702: 

[0204] The first check code SO held in the special in- 
formation holding section 110 is read out. 

Step 1703: 

[0205] It is determined whether or not the value of the 
first check code SO calculated at step 1701 is identical 
to the value of the first check code SO read out at step 
1702. If identical, the process proceeds to step 1704. If 
not identical, the process proceeds to step 1707. 

Step 1704: 

[0206] If "identical" at step 1 703, the value of the sec- 
ond check code S1 is calculated from the encrypted title 
key of the encryption region 203. 

Step 1705: 

[0207] The second check code S1 held in the special 
information holding section 110 is read out. 

Step 1706: 

[0208] It is determined whether or not the value of the 
second check code S1 calculated at step 1704 is iden- 
tical to the value of the second check code S1 read out 
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at step 1705. If identical, it is determined that no illegal 
processing is performed, and the recording/reproducing 
apparatus can perform a normal operation. If not iden- 
tical, the process proceeds to step 1707. 

5 

Step 1 707: 

[0209] If n not identical" at step 1 703 or step 1 706, it is 
determined that an illegal processing has been per- 
formed, and an access by the controller 105 to the hard 10 
disc 200 is restricted. 

[0210] According to embodiment 6, it is determined 
whether or not the value of the first check code SO held 
in the special information holding section 110 at the 
start-up of the recording/reproducing apparatus is iden- is 
tical to the value of the first check code SO calculated 
based on the management information and/or whether 
or not the value of the second check code S1 held in the 
special information holding section 1 1 0 is identical to the 
value of the second check code S1 calculated based on 20 
the encrypted title key. If not identical, it is determined 
that a fraudulent party conducted an illegal activity, and 
an access by the controller 105 to the hard disc 200 is 
restricted. On the other hand, a penalty can be imposed 
on the fraudulent party. For example, the fraudulent par- 25 
ty is compelled to re-format data; an access by the fraud- 
ulent party is ignored by the recording/reproducing ap- 
paratus; or the fraudulent party is compelled to initialize 
the encryption region. According to the present inven- 
tion, such a penalty may be realized by any means 30 
which can bring some disbenefits to a fraudulent party 
in retaliation for his illegal data processing. 
[0211] A recording/reproducing apparatus of the 
present invention includes: a first storage section for 
storing data structure information which includes en- 35 
crypted data; a special information holding section for 
holding special information associated with the data 
structure information; and a controller for controlling the 
first storage section and the special information holding 
section. The data structure information and the special 40 
information are associated with each other such that the 
special information is updated in response to an update 
of the data structure information, or such that the data 
structure information is updated in response to an up- 
date of the special information. With such an arrange- *s 
ment, the data structure information and the special in- 
formation are stored separately, while the data structure 
information and the special information can be control- 
led so as to be associated with each other. As a result, 
the encrypted data of the data structure information can- so 
not be solely encrypted. Therefore, the data structure 
information can be more securely stored. 
[0212] Furthermore, in the recording/reproducing ap- 
paratus of the present invention , the control section con- 
trols movement of the encrypted data from the first stor- 55 
age section to a second storage section; and the control 
section updates the special information held in the spe- 
cial information holding section such that a mismatch 



occurs between the special information obtained before 
the movement of the encrypted data from the first stor- 
age section to the second storage section and the spe- 
cial information obtained after the movement of the en- 
crypted data from the first storage section to the second 
storage section. With such an arrangement, the special 
information which is necessary for decrypting the en- 
crypted data can be different between before and after 
the movement of the encrypted data from the first stor- 
age section, to the second storage section. As a result, 
illegally copied data becomes useless by itself, and pro- 
duction of a plurality of illegal copies becomes impossi- 
ble. 

[0213] Various other modifications will be apparent to 
and can be readily made by those skilled in the art with- 
out departing from the scope and spirit of this invention. 
Accordingly, it is not intended that the scope of the 
claims appended hereto be limited to the description as 
set forth herein, but rather that the claims be broadly 
construed. 



Claims 

1. A recording/reproducing apparatus, comprising: 

a first storage section for storing data structure 
information which includes encrypted data; 
a special information holding section for hold- 
ing special information associated with the data 
structure information: and 
a controller for controlling the first storage sec- 
tion and the special information holding sec- 
tion, 

wherein the data structu re inf ormation and the 
special information are associated with each other 
such that the special information is updated in re- 
sponse to an update of the data structure informa- 
tion, or such that the data structure information is 
updated in response to an update of the special in- 
formation, 

the controller controls movement of the en- 
crypted data from the first storage section to a sec- 
ond storage section, and 

the controller updates the special information 
held in the special information holding section such 
that a mismatch occurs between the special infor- 
mation obtained before the movement of the en- 
crypted data from the first storage section to the 
second storage section and the special information 
obtained after the movement of the encrypted data 
from the first storage section to the second storage 
section. 

2. A recording/reproducing apparatus according to 
claim 1 , 

wherein the second storage section is provided in- 
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side of the recording/reproducing apparatus. 

3. A recording/reproducing apparatus according to 
claim 1 , 

wherein the second storage section is provided out- 5 
side of the recording/reproducing apparatus. 

4. A recording/reproducing apparatus according to 
claim 1 , 

wherein the data structure information includes: io 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management *5 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

wherein the special information is the system 20 

key, 

every time the encrypted data is moved from 
the first storage section to the second storage sec- 
tion., the controller deletes the moved data from the 
object region, updates the management informa- 25 
tion; and deletes from the encryption region the en- 
crypted title key which is used for decrypting the 
moved data, and 

the controller updates the system key and en- 
crypts the title key using the updated system key. 30 

5. A recording/reproducing apparatus according to 
claim 1, wherein the data structure information in- 
cludes: 

35 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 40 
an encryption region for storing the title key and 
the management information which are en- 
crypted using a system key, 

wherein the special information is the system 45 

key, 

the controller controls a movement of a pre- 
determined amount of content included in the en- 
crypted data from the first storage section to the 
second storage section, 50 

the controller updates the system key every 
time the predetermined amount of content is moved 
from the first storage section to the second storage 
section, 

every time the predetermined amount of con- 55 
tent is moved from the first storage section to the 
second storage section, the controller deletes the 
moved predetermined amount of content from the 



object region, updates the management informa- 
tion, and encrypts the title key and the updated 
management information using the updated system 
key, and 

when the amount of moved contents be- 
comes equal to the predetermined unit data 
amount, the controller deletes from the encryption 
region the encrypted title key which is used for de- 
crypting the data. 

6. A recording/reproducing apparatus according to 
claim 5, wherein, at the start-up of the recording/ 
reproducing apparatus, the controller decrypts the 
management information using the system key, and 
overwrites the decrypted management information 
in the management region. 

7. A recording/reproducing apparatus according to 
claim 1 , wherein the data structure information in- 
cludes: 

an object region for storing a content which is 
a part of the encrypted data and which is en- 
crypted using a title key corresponding to the 
content; and 

a management region for storing management 
information of the encrypted content and corre- 
spondence information which represents a cor- 
respondence between the encrypted content 
and the title key used for decrypting the en- 
crypted content, the correspondence being es- 
tablished by allocating ID information to the en- 
crypted content, 

wherein the special information includes the 
title key to which the ID information is allocated and 
which is encrypted using a system key, 

the controller controls a movement of the en- 
crypted content from the first storage section to the 
second storage section, 

every time the encrypted content is moved 
from the first storage section to the second storage 
section, the controller deletes the moved content 
from the object region and updates the manage- 
ment information, and 

every time the encrypted content is moved 
from the first storage section to the second storage 
section, the controller deletes from the special in- 
formation holding section the encrypted title key 
which has the same ID information as that allocated 
to the deleted content, thereby updating the special 
information held in the special information holding 
section. 

8. A recording/reproducing apparatus according to 
claim 7, wherein: 

the special information further includes the sys- 
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tern key; and 

the controller updates the system key at a pre- 
determined time interval, and encrypts the title 
key using the updated system key, thereby up- 
dating the special information held in the spe- 5 
cial information holding section. 

9. A recording/reproducing apparatus according to 
claim 1 , wherein 

the data structure information includes: 10 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 15 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

the special information includes: 20 

a first check code which is calculated from the 
management information; and 
a second check code which is calculated from 
the encrypted title key, 25 

the controller controls a movement of a pre- 
determined amount of content included in the en- 
crypted data from the first storage section to the 
second storage section, 30 

every time the predetermined amount of con- 
tent is moved from the first storage section to the 
second storage section, the controller deletes from 
the object region the moved predetermined amount 
of content, thereby updating the management infor- 35 
mation, 

every time the predetermined amount of con- 
tent is deleted from the first storage section, the 
controller updates the first check code held in the 
special information holding section by means of a 40 
calculation based on the updated management in- 
formation, 

when the amount of moved contents be- 
comes equal to the predetermined unit data 
amount, the controller deletes from the encryption 45 
region the encrypted title key which is used for de- 
crypting the data, and 

every time the data is deleted, the controller 
updates the second check code held in the special 
information holding section by means of a calcula- so 
tion based on the encrypted title key. 

10. A recording/reproducing apparatus according to 
claim 9, wherein: 

55 

the special information further includes the sys- 
tem key, 

the controller updates the system key every 



time the predetermined amount of content is 
moved from the first storage section to the sec- 
ond storage section., and 
the controller encrypts the title key using the up- 
dated system key, thereby updating the encryp- 
tion region. 

11. A recording/reproducing apparatus according to 
claim 9, wherein the controller determines whether 
or not a first check code and a second check code, 
which are calculated at the start-up of the recording/ 
reproducing apparatus from the management infor- 
mation and the encrypted title key, respectively, are 
identical to the first check code and the second 
check code held in the special information holding 
section. 

12. A recording/reproducing apparatus, comprising: 

a storage section for storing data structure in- 
formation which includes encrypted data, the 
encrypted data including a content which is al- 
lowed to be stored for a predetermined time pe- 
riod; 

a special information holding section for hold- 
ing special information associated with the data 
structure information; and 
a controller for controlling the storage section 
and the special information holding section, 

wherein the data structure information and the 
special information are associated with each other 
such that the special information is updated in re- 
sponse to an update of the data structure informa- 
tion, or such that the data structure information is 
updated in response to an update of the special in- 
formation, 

the controller controls deletion of the content 
from the storage section after a predetermined time 
period has elapsed, and 

the controller updates the special information 
held in the special information holding section such 
that a mismatch occurs between the special infor- 
mation obtained before the deletion of the content 
from the storage section and the special information 
obtained after the deletion of the content from the 
storage section. 

13. A recording/reproducing apparatus according to 
claim 12, wherein the data structure information in- 
cludes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key 
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which is encrypted using a system key, 
wherein the special information is the system 

key, 

the data is a content which can be stored for 5 
a predetermined time period, 

every time the content is deleted from the stor- 
age section after a predetermined time period has 
elapsed, the controller updates the management in- 
formation and the system key, and 10 

the controller deletes from the encryption re- 
gion the encrypted title key used for decrypting the 
content, and encrypts the title key using the updated 
system key. 

75 

14. A recording/reproducing apparatus according to 
claim 12, wherein the data structure information in- 
cludes: 

an object region for storing data which is en- 20 
crypted using atitle key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key and 25 
management information which are encrypted 
using a system key, 

wherein the special information is the system 
key, 30 

every time the content is deleted from the stor- 
age section after a predetermined time period has 
elapsed, the controllerupdates the management in- 
formation and the system key, 

the controller encrypts the title key and the up- 35 
dated management information using the updated 
system key, and 

when the amount of deleted contents be- 
comes equal to the predetermined unit data 
amount, the controller deletes from the encryption 40 
region the encrypted title key which is used for de- 
crypting the data. 

15. A recording/reproducing apparatus according to 
claim 12, wherein the data structure information in- 
eludes: 

an object region for storing a content which is 
a part of the encrypted data and which is en- 
crypted using a title key corresponding to the s° 
content; and 

a management region for storing management 
information of the encrypted content and corre- 
spondence information which represents a cor- 
respondence between the encrypted content 55 
and the title key used for decrypting the en- 
crypted content, the correspondence being es- 
tablished by allocating ID information to the en- 



crypted content, 

wherein the special information includes the 
title key to which the ID information is allocated and 
which is encrypted using a system key, 

every time the encrypted content is deleted 
from the storage section after a predetermined time 
period has elapsed, the controller updates the man- 
agement information, and 

every time the encrypted content is deleted 
from the storage section after a predetermined time 
period has elapsed, the controller deletes from the 
special information holding section the encrypted ti- 
tle key which has the same ID information as that 
allocated to the deleted content, thereby updating 
the special information held in the special informa- 
tion holding section. 

16. A recording/reproducing apparatus according to 
claim 15, wherein: 

the special information further includes the sys- 
tem key. and 

the controller updates the system key at every 
predetermined time, and encrypts the title key 
using the updated system key, thereby updat- 
ing the special information held in the special 
information holding section. 

17. A recording/reproducing apparatus according to 
claim 12, wherein 

the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

the special information includes: 

a first check code which is calculated from the 
management information; and 
a second check code which is calculated from 
the encrypted title key, 

every time the predetermined amount of con- 
tent is deleted from the storage section after a pre- 
determined time period has elapsed, the controller 
updates the management information, 

every time the management information is up- 
dated, the controller updates the first check code 
held in the special information holding section by 
means of a calculation based on the updated man- 
agement information, 

when the amount of deleted content becomes 



25 



BNSDOCID: <EP 1249836A1J_> 



49 



EP 1 249 836 A1 



50 



equal to the predetermined unit data amount, the 
controller deletes from the encryption region the en- 
crypted title key which is used for decrypting the da- 
ta, thereby updating the encryption region, and 

the controller updates the second check code 5 
held in the special information holding section by 
means of a calculation based on the encrypted title 
key. 

18. A recording/reproducing apparatus according to 10 
claim 12, wherein: 

the special information further includes the sys- 
tem key, 

every time the predetermined amount of con- 15 
tent is deleted from the storage section after a 
predetermined time period has elapsed, the 
controller updates the system key, and 
every time the system key is updated, the con- 
troller encrypts the title key using the updated 20 
system key, thereby updating the encryption re- 
gion. 

19. A method for moving data from a recording/repro- 
ducing apparatus, the recording/reproducing appa- 25 
ratus including: 

a first storage section for storing data structure 
information which includes encrypted data; 
a special information holding section for hold- 30 
ing special information associated with the data 
structure information; and 
a controller for controlling the first storage sec- 
tion and the special information holding sec- 
tion, 35 

wherein the data structure information and the 
special information are associated with each other 
such that the special information is updated in re- 
sponse to an update of the data structure informa- 40 
tion : or such that the data structure information is 
updated in response to an update of the special in- 
formation, 

the method comprising steps of: 

45 

a) moving the encrypted data from the first stor- 
age section to a second storage section; and 

b) updating the special information held in the 
special information holding section every time 
step a) is completed such that a mismatch oc- so 
curs between the special information obtained 
before step a) and the updated special informa- 
tion. 

20. A method according to claim 19, wherein the sec- 55 
ond storage section is provided inside of the record- 
ing/reproducing apparatus. 



21. A method according to claim 19, wherein the sec- 
ond storage section is provided outside of the re- 
cording/reproducing apparatus. 

22. A method according to claim 19, wherein 

the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

the special information is the system key, 
step b) includes steps of: 

b1 ) deleting the moved data from the object re- 
gion and updating the management informa- 
tion; 

b2) deleting from the encryption region the en- 
crypted title key which is used for decrypting the 
moved data; 

b3) updating the system key; and 

b4) encrypting the title key using the updated 

system key. 

23. A method according to claim 19, wherein 

the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key and 
the management information which are en- 
crypted using a system key, 

the special information is the system key, 

step a) includes a step of moving a predeter- 
mined amount of content included in the en- 
crypted data from the first storage section to the 
second storage section, and 

step b) includes steps of: 

b1) deleting the moved predetermined 
amount of content from the object region; 
b2) updating the management information; 
b3) updating the system key; and 
b4) encrypting the title key and the updated 
management information using the updat- 
ed system key, 

the method further includes steps of: 
c) repeating steps a) and b) until the 
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amount of the moved content becomes 
equal to the predetermined unit data 
amount; and 

d) when the amount of moved content be- 
comes equal to the predetermined unit da- 
ta amount, deleting from the encryption re- 
gion the encrypted title key which is used 
for decrypting the data. 

24. A method according to claim 23, further comprising 
steps of: 

e) acquiring the system key from the special in- 
formation holding section; 

f) decrypting the management information 
stored in the encryption region using the sys- 
tem key; and 

g) overwriting the decrypted management in- 
formation in the management region. 

25. A method according to claim 1 9, wherein 

the data structure information includes: 

an object region for storing a content which is 
a part of the encrypted data and which is en- 
crypted using a title key corresponding to the 
content; and 

a management region for storing management 
information of the encrypted content and corre- 
spondence information which represents a cor- 
respondence between the encrypted content 
and the title key used for decrypting the en- 
crypted content, the correspondence being es- 
tablished by allocating ID information to the en- 
crypted content, 

the special information includes the title 
key to which the ID information is allocated and 
which is encrypted using a system key, 

step a) includes a step of moving the en- 
crypted content from the first storage sec- 
tion to the second storage section, and 
step b) includes steps of: step b) includes 
steps of: 

b1) deleting the moved content from 
the object region; 

b2) updating the management infor- 
mation; and 

b3) deleting the encrypted title key 
which has the same ID information as 
that allocated to the content deleted at 
step b1). 

26. A method according to claim 25, wherein: 

the special information further includes the 
system key; and 

step b) further includes a step of updating the 



system key at every predetermined time and en- 
crypting the title key using the updated system key. 

27. A method according to claim 19, wherein 
5 the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
w a management region for storing management 

information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

15 the special information includes: 

a first check code which is calculated from the 
management information; and 
a second check code which is calculated from 
20 the encrypted title key, 

step a) includes a step of moving a predeter- 
mined amount of content included in the en- 
crypted data from the first storage section to the 
25 second storage section, 

step b) includes steps of: 

b1) deleting the moved predetermined 
amount of content from the object region 
30 b2) updating the management information; 

and 

b3) updating the first check code by means 
of a calculation based on the updated man- 
agement information, and 

the method further includes steps of: 

c) repeating steps a) and b) until the amount of 
the moved content becomes equal to the pre- 

40 determined unit data amount; 

d) when the amount of moved content becomes 
equal to the predetermined unit data amount, 
deleting from the encryption region the encrypt- 
ed title key which is used for decrypting the da- 

45 ta; and 

e) updating the second check code by means 
of a calculation based on the encrypted title key. 

28. A method according to claim 27, wherein: 
so the special information further includes the 

system key; and 

step b) further includes a step of updating the sys- 
tem key and encrypting the title key using the up- 
dated system key. 



35 



55 



29. A method according to claim 27, further comprising 
steps of: 
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the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
s determined unit amount of data; 

a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

w 

the special information is the system key, 
the data is a content which can be stored for 
a predetermined time period, 
step b) includes steps of: 

15 

b1) updating the management information; 
b2) updating the system key; 
b3) deleting from the encryption region the en- 
crypted title key which is used for decrypting the 
20 content; and 

b4) encrypting the title key again using the up- 
dated system key. 

32. A method according to claim 30, wherein 
25 the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 

30 a management region for storing management 

information of the encrypted data; and 
an encryption region for storing the title key and 
the management information which are en- 
crypted using a system key, 

35 the special information is the system key, 



f) calculating the first check code from the man- 
agement information; 

g) determining whether or not the first check 
code obtained at step f) is identical to the first 
check code held in the special information hold- 
ing section; 

h) if the determination result of step g) indicates 
"not identical", restricting the controller in con- 
trolling the first storage section, but if the deter- 
mination result of step g) indicates "identical", 
calculating the second check code from the en- 
crypted title key; 

i) determining whether or not the second check 
code obtained at step h) is identical to the sec- 
ond check code held in the special information 
holding section; and 

j) if the determination result of step i) indicates 
"not identical", restricting the controller in con- 
trolling the first storage section, but if the deter- 
mination result of step i) indicates "identical", 
allowing the controller to control the first stor- 
age section. 

30. A method for deleting data from a recording/repro- 
ducing apparatus, the recording/reproducing appa- 
ratus including: 

a storage section for storing data structure in- 
formation which includes encrypted data, the 
encrypted data including a content which is al- 
lowed to be stored for a predetermined time pe- 
riod; 

a special information holding section for hold- 
ing special information associated with the data 
structure information; and 
a controller for controlling the storage section 
and the special information holding section, 

wherein the datastructure information and the 
special information are associated with each other 
such that the special information is updated in re- 
sponse to an update of the data structure informa- 
tion, or such that the data structure information is 
updated in response to an update of the special in- 
formation, 

the method comprising steps of: 

a) after a predetermined time period has 
elapsed, deleting the content from the storage 
section; and 

b) updating the special information held in the 
special information holding section every time 
step a) is completed such that a mismatch oc- 



step b) includes steps of: 

b1) updating the management information; 
b2) updating the system key; and 
b3) encrypting the title key and the updated 
management information using the updated 
system key, 

the method further includes, 

c) repeating steps a) and b) until the amount of 
the deleted content becomes equal to the pre- 
determined unit data amount; and 

d) when the amount of deleted content be- 
comes equal to the predetermined unit data 
amount, deleting from the encryption region the 
encrypted title key which is used for decrypting 
the data. 



curs between the special information obtained 33. A method according to claim 24, wherein 

before step a) and the updated special informa- 55 the data structure information includes: 

tion. 

an object region for storing a content which is 
31. A method according to claim 30, wherein a part of the encrypted data and which is en- 
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crypted using a title key corresponding to the 
content; and 

a management region for storing management 
information of the encrypted content and corre- 
spondence information which represents a cor- 
respondence between the encrypted content 
and the title key used for decrypting the en- 
crypted content, the correspondence being es- 
tablished by allocating ID information to the en- 
crypted content, 

the special information includes the title 
key to which the ID information is allocated and 
which is encrypted using a system key, 

step b) includes steps of: 

b1 ) updating the management information; and 
b2) deleting the encrypted title key which has 
the same ID information as that allocated to the 
deleted content. 

34. A method according to claim 33, wherein: 

the special information further includes the 
system key; and 

step b) further includes a step of updating the 
system key at every predetermined time and en- 
crypting the title key using the updated system key. 

35. A method according to claim 30, wherein 

the data structure information includes: 

an object region for storing data which is en- 
crypted using a title key corresponding to a pre- 
determined unit amount of data; 
a management region for storing management 
information of the encrypted data; and 
an encryption region for storing the title key 
which is encrypted using a system key, 

the special information includes: 

a first check code which is calculated from the 
management information; and 
a second check code which is calculated from 
the encrypted title key, 

step b) includes steps of: 

b1 ) updating the management information; and 
b2) updating the first check code by means of 
a calculation based on the updated manage- 
ment information, and 

the method further includes steps of: 

c) repeating steps a) and b) until the amount of 
the deleted content becomes equal to the pre- 
determined unit data amount; 

d) when the amount of deleted content be- 
comes equal to the predetermined unit data 



amount, deleting from the encryption region the 
encrypted title key which is used for decrypting 
the data; and 

e) updating the second check code by means 
5 of a calculation based on the encrypted title key. 

36. A method according to claim 35, wherein: 

the special information further includes the 
system key; and 
w step b) further includes a step of updating the 

system key and encrypting the title key using the 
updated system key. 
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